Skip to content

fix: prevent .env secret leakage into containers#419

Closed
roeeho-tr wants to merge 1 commit intoqwibitai:mainfrom
roeeho-tr:fix/prevent-env-secret-leakage
Closed

fix: prevent .env secret leakage into containers#419
roeeho-tr wants to merge 1 commit intoqwibitai:mainfrom
roeeho-tr:fix/prevent-env-secret-leakage

Conversation

@roeeho-tr
Copy link
Copy Markdown

@roeeho-tr roeeho-tr commented Feb 23, 2026

Summary

  • Mask .env file inside the main group container by mounting /dev/null over /workspace/project/.env. Despite secrets being delivered via stdin and sanitized from environment variables by the Bash hook, the project-root bind mount exposed the .env file directly — allowing the agent to read API keys with a simple cat /workspace/project/.env.
  • Wrap JSON.parse(container_config) in db.ts with try/catch to prevent a persistent crash loop if the SQLite database contains corrupt JSON. Without this, a single corrupted row causes getAllRegisteredGroups() / getRegisteredGroup() to throw on every startup attempt with no recovery path.

Details

Secret leakage via mounted .env (HIGH severity)

The existing secret protection architecture is thorough:

  1. Secrets passed via stdin only (container.stdin.write)
  2. Deleted from input after delivery (delete input.secrets)
  3. Bash hook unsets secret env vars before every command (createSanitizeBashHook)

However, buildVolumeMounts() bind-mounts the entire project root read-only at /workspace/project, which includes .env. Since the agent runs with permissionMode: 'bypassPermissions', it can read the file directly, completely bypassing all three protections above.

Fix: Mount /dev/null over /workspace/project/.env inside the container. Docker's mount overlay behavior ensures the more specific file mount takes precedence, replacing .env with empty content.

Unguarded JSON.parse crash loop (MEDIUM severity)

getAllRegisteredGroups() and getRegisteredGroup() in db.ts call JSON.parse(row.container_config) without error handling. If the SQLite DB is corrupted (power failure, disk error), a single bad row causes an unhandled exception during loadState() at startup — creating a persistent crash loop.

Fix: Wrap in try/catch, log a warning, and skip/return undefined for corrupt rows.

Test plan

  • Verify main container cannot read .env contents (cat /workspace/project/.env should return empty)
  • Verify secrets are still delivered correctly via stdin (agent can authenticate)
  • Verify startup succeeds with a corrupted container_config row in SQLite
  • Run npx tsc --noEmit — passes cleanly

🤖 Generated with Claude Code

@roeeho-tr @claude
fix: prevent .env secret leakage into containers and harden JSON pars…
ac50027 
…ing in db

Mask the .env file inside the main group container by mounting /dev/null
over it. Despite secrets being delivered via stdin and sanitized from env
vars, the project-root bind mount exposed .env to the agent — allowing a
simple `cat /workspace/project/.env` to read API keys.

Also wrap JSON.parse(container_config) in db.ts with try/catch to prevent
a persistent crash loop if the SQLite database contains corrupt JSON.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@roeeho-tr roeeho-tr requested a review from gavrielc as a code owner February 23, 2026 12:34
This was referenced Feb 23, 2026
Merged
Closed
@roeeho-tr roeeho-tr closed this Mar 2, 2026
@roeeho-tr roeeho-tr deleted the fix/prevent-env-secret-leakage branch March 2, 2026 19:13
This was referenced Mar 3, 2026
Closed
Open
Closed
Closed
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gavrielc gavrielc Awaiting requested review from gavrielc gavrielc is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@roeeho-tr