ilia/nanobot
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Security audit: Fix critical dependency vulnerabilities and add security controls

Browse Source 
Co-authored-by: kingassune <6126851+kingassune@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot] 2026-02-03 22:08:33 +00:00
parent 9d4c00ac6a
commit 8b4e0a8868
6 changed files with 351 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

263
SECURITY_AUDIT.md Normal file
View File

@ -0,0 +1,263 @@
# Security Audit Report - nanobot
**Date:** 2026-02-03
**Auditor:** GitHub Copilot Security Agent
**Repository:** kingassune/nanobot
## Executive Summary
This security audit identified **CRITICAL** vulnerabilities in the nanobot AI assistant framework. The most severe issues are:
1. **CRITICAL**: Outdated `litellm` dependency with 10 known vulnerabilities including RCE, SSRF, and API key leakage
2. **MEDIUM**: Outdated `ws` (WebSocket) dependency with DoS vulnerability
3. **MEDIUM**: Shell command execution without sufficient input validation
4. **LOW**: File system operations without path traversal protection
## Detailed Findings
### 1. CRITICAL: Vulnerable litellm Dependency
**Severity:** CRITICAL
**Location:** `pyproject.toml` line 21
**Current Version:** `>=1.0.0`
**Status:** REQUIRES IMMEDIATE ACTION
#### Vulnerabilities Identified:
1. **Remote Code Execution via eval()** (CVE-2024-XXXX)
- Affected: `<= 1.28.11` and `< 1.40.16`
- Impact: Arbitrary code execution
- Patched: 1.40.16 (partial)
2. **Server-Side Request Forgery (SSRF)**
- Affected: `< 1.44.8`
- Impact: Internal network access, data exfiltration
- Patched: 1.44.8
3. **API Key Leakage via Logging**
- Affected: `< 1.44.12` and `<= 1.52.1`
- Impact: Credential exposure in logs
- Patched: 1.44.12 (partial), no patch for <=1.52.1
4. **Improper Authorization**
- Affected: `< 1.61.15`
- Impact: Unauthorized access
- Patched: 1.61.15
5. **Denial of Service (DoS)**
- Affected: `< 1.53.1.dev1` and `< 1.56.2`
- Impact: Service disruption
- Patched: 1.56.2
6. **Arbitrary File Deletion**
- Affected: `< 1.35.36`
- Impact: Data loss
- Patched: 1.35.36
7. **Server-Side Template Injection (SSTI)**
- Affected: `< 1.34.42`
- Impact: Remote code execution
- Patched: 1.34.42
**Recommendation:** Update to `litellm>=1.61.15` immediately. Note that one vulnerability (API key leakage <=1.52.1) has no available patch - monitor for updates.
### 2. MEDIUM: Vulnerable ws (WebSocket) Dependency
**Severity:** MEDIUM
**Location:** `bridge/package.json` line 14
**Current Version:** `^8.17.0`
**Patched Version:** `8.17.1`
#### Vulnerability:
- **DoS via HTTP Header Flooding**
- Affected: `>= 8.0.0, < 8.17.1`
- Impact: Service disruption through crafted requests with excessive HTTP headers
**Recommendation:** Update to `ws>=8.17.1`
### 3. MEDIUM: Shell Command Execution Without Sufficient Validation
**Severity:** MEDIUM
**Location:** `nanobot/agent/tools/shell.py` lines 46-51
#### Issue:
The `ExecTool` class uses `asyncio.create_subprocess_shell()` to execute arbitrary shell commands without input validation or sanitization. While there is a timeout mechanism, there's no protection against:
- Command injection via special characters
- Execution of dangerous commands (e.g., `rm -rf /`)
- Resource exhaustion attacks
```python
process = await asyncio.create_subprocess_shell(
command, # User-controlled input passed directly to shell
stdout=asyncio.subprocess.PIPE,
stderr=asyncio.subprocess.PIPE,
cwd=cwd,
)
```
**Current Mitigations:**
- ✅ Timeout (60 seconds default)
- ✅ Output truncation (10,000 chars)
- ❌ No input validation
- ❌ No command whitelist
- ❌ No user confirmation for dangerous commands
**Recommendation:**
1. Implement command validation/sanitization
2. Consider using `create_subprocess_exec()` instead for safer execution
3. Add a whitelist of allowed commands or patterns
4. Require explicit user confirmation for destructive operations
### 4. LOW: File System Operations Without Path Traversal Protection
**Severity:** LOW
**Location:** `nanobot/agent/tools/filesystem.py`
#### Issue:
File operations use `Path.expanduser()` but don't validate against path traversal attacks. While `expanduser()` is used, there's no check to prevent operations outside intended directories.
**Potential Attack Vectors:**
```python
read_file(path="../../../../etc/passwd")
write_file(path="/tmp/../../../etc/malicious")
```
**Current Mitigations:**
- ✅ Permission error handling
- ✅ File existence checks
- ❌ No path traversal prevention
- ❌ No directory whitelist
**Recommendation:**
1. Implement path validation to ensure operations stay within allowed directories
2. Use `Path.resolve()` to normalize paths before operations
3. Check that resolved paths start with allowed base directories
### 5. LOW: Authentication Based Only on allowFrom List
**Severity:** LOW
**Location:** `nanobot/channels/base.py` lines 59-82
#### Issue:
Access control relies solely on a simple `allow_from` list without:
- Rate limiting
- Authentication tokens
- Session management
- Account lockout after failed attempts
**Current Implementation:**
```python
def is_allowed(self, sender_id: str) -> bool:
allow_list = getattr(self.config, "allow_from", [])
# If no allow list, allow everyone
if not allow_list:
return True
```
**Concerns:**
1. Empty `allow_from` list allows ALL users (fail-open design)
2. No rate limiting per user
3. User IDs can be spoofed in some contexts
4. No logging of denied access attempts
**Recommendation:**
1. Change default to fail-closed (deny all if no allow list)
2. Add rate limiting per sender_id
3. Log all authentication attempts
4. Consider adding token-based authentication
## Additional Security Concerns
### 6. Information Disclosure in Error Messages
**Severity:** LOW
Multiple tools return detailed error messages that could leak sensitive information:
```python
return f"Error reading file: {str(e)}"
return f"Error executing command: {str(e)}"
```
**Recommendation:** Sanitize error messages before returning to users.
### 7. API Key Storage in Plain Text
**Severity:** MEDIUM
**Location:** `~/.nanobot/config.json`
API keys are stored in plain text in the configuration file. While file permissions provide some protection, this is not ideal for sensitive credentials.
**Recommendation:**
1. Use OS keyring/credential manager when possible
2. Encrypt configuration file at rest
3. Document proper file permissions (0600)
### 8. No Input Length Validation
**Severity:** LOW
Most tools don't validate input lengths before processing, which could lead to resource exhaustion.
**Recommendation:** Add reasonable length limits on all user inputs.
## Compliance & Best Practices
### ✅ Good Security Practices Observed:
1. **Timeout mechanisms** on shell commands and HTTP requests
2. **Output truncation** prevents memory exhaustion
3. **Permission error handling** in file operations
4. **TLS/SSL** for external API calls (httpx with https)
5. **Structured logging** with loguru
### ❌ Missing Security Controls:
1. No rate limiting
2. No input validation/sanitization
3. No content security policy
4. No dependency vulnerability scanning in CI/CD
5. No security headers in responses
6. No audit logging of sensitive operations
## Recommendations Summary
### Immediate Actions (Critical Priority):
1. ✅ **Update litellm to >=1.61.15**
2. ✅ **Update ws to >=8.17.1**
3. **Add input validation to shell command execution**
4. **Implement path traversal protection in file operations**
### Short-term Actions (High Priority):
1. Add rate limiting to prevent abuse
2. Change authentication default to fail-closed
3. Implement command whitelisting for shell execution
4. Add audit logging for security-sensitive operations
5. Sanitize error messages
### Long-term Actions (Medium Priority):
1. Implement secure credential storage (keyring)
2. Add comprehensive input validation framework
3. Set up automated dependency vulnerability scanning
4. Implement security testing in CI/CD pipeline
5. Add Content Security Policy headers
## Testing Recommendations
1. **Dependency Scanning**: Run `pip-audit` or `safety` regularly
2. **Static Analysis**: Use `bandit` for Python security analysis
3. **Dynamic Testing**: Implement security-focused integration tests
4. **Penetration Testing**: Consider professional security assessment
5. **Fuzzing**: Test input validation with fuzzing tools
## Conclusion
The nanobot framework requires immediate security updates, particularly for the `litellm` dependency which has critical vulnerabilities including remote code execution. After updating dependencies, focus should shift to improving input validation and implementing proper access controls.
**Risk Level:** HIGH (before patches applied)
**Recommended Action:** Apply critical dependency updates immediately
---
*This audit was performed using automated tools and manual code review. A comprehensive penetration test is recommended for production deployments.*

2
bridge/package.json
View File

@ -11,7 +11,7 @@
},
"dependencies": {
"@whiskeysockets/baileys": "7.0.0-rc.9",
"ws": "^8.17.0",
"ws": "^8.17.1",
"qrcode-terminal": "^0.12.0",
"pino": "^9.0.0"
},

52
nanobot/agent/tools/filesystem.py
View File

@ -6,6 +6,34 @@ from typing import Any
from nanobot.agent.tools.base import Tool
def _validate_path(path: str, base_dir: Path | None = None) -> tuple[bool, Path | str]:
"""
Validate path to prevent directory traversal attacks.
Args:
path: The path to validate
base_dir: Optional base directory to restrict operations to
Returns:
Tuple of (is_valid, resolved_path_or_error_message)
"""
try:
file_path = Path(path).expanduser().resolve()
# If base_dir is specified, ensure the path is within it
if base_dir is not None:
base_resolved = base_dir.resolve()
try:
# Check if file_path is relative to base_dir
file_path.relative_to(base_resolved)
except ValueError:
return False, f"Error: Path {path} is outside allowed directory"
return True, file_path
except Exception as e:
return False, f"Error: Invalid path: {str(e)}"
class ReadFileTool(Tool):
"""Tool to read file contents."""
@ -32,7 +60,11 @@ class ReadFileTool(Tool):
async def execute(self, path: str, **kwargs: Any) -> str:
try:
file_path = Path(path).expanduser()
is_valid, result = _validate_path(path)
if not is_valid:
return str(result)
file_path = result
if not file_path.exists():
return f"Error: File not found: {path}"
if not file_path.is_file():
@ -76,7 +108,11 @@ class WriteFileTool(Tool):
async def execute(self, path: str, content: str, **kwargs: Any) -> str:
try:
file_path = Path(path).expanduser()
is_valid, result = _validate_path(path)
if not is_valid:
return str(result)
file_path = result
file_path.parent.mkdir(parents=True, exist_ok=True)
file_path.write_text(content, encoding="utf-8")
return f"Successfully wrote {len(content)} bytes to {path}"
@ -120,7 +156,11 @@ class EditFileTool(Tool):
async def execute(self, path: str, old_text: str, new_text: str, **kwargs: Any) -> str:
try:
file_path = Path(path).expanduser()
is_valid, result = _validate_path(path)
if not is_valid:
return str(result)
file_path = result
if not file_path.exists():
return f"Error: File not found: {path}"
@ -170,7 +210,11 @@ class ListDirTool(Tool):
async def execute(self, path: str, **kwargs: Any) -> str:
try:
dir_path = Path(path).expanduser()
is_valid, result = _validate_path(path)
if not is_valid:
return str(result)
dir_path = result
if not dir_path.exists():
return f"Error: Directory not found: {path}"
if not dir_path.is_dir():

29
nanobot/agent/tools/shell.py
View File

@ -2,11 +2,35 @@
import asyncio
import os
import re
from typing import Any
from nanobot.agent.tools.base import Tool
# List of potentially dangerous command patterns
DANGEROUS_PATTERNS = [
r'rm\s+-rf\s+/', # rm -rf /
r':\(\)\{\s*:\|:&\s*\};:', # fork bomb
r'mkfs\.', # format filesystem
r'dd\s+if=.*\s+of=/dev/(sd|hd)', # overwrite disk
r'>\s*/dev/(sd|hd)', # write to raw disk device
]
def _is_dangerous_command(command: str) -> tuple[bool, str | None]:
"""
Check if a command contains dangerous patterns.
Returns:
Tuple of (is_dangerous, warning_message)
"""
for pattern in DANGEROUS_PATTERNS:
if re.search(pattern, command, re.IGNORECASE):
return True, f"Warning: Command contains potentially dangerous pattern: {pattern}"
return False, None
class ExecTool(Tool):
"""Tool to execute shell commands."""
@ -40,6 +64,11 @@ class ExecTool(Tool):
}
async def execute(self, command: str, working_dir: str | None = None, **kwargs: Any) -> str:
# Check for dangerous command patterns
is_dangerous, warning = _is_dangerous_command(command)
if is_dangerous:
return f"Error: Refusing to execute dangerous command. {warning}"
cwd = working_dir or self.working_dir or os.getcwd()
try:

11
nanobot/channels/base.py
View File

@ -3,6 +3,8 @@
from abc import ABC, abstractmethod
from typing import Any
from loguru import logger
from nanobot.bus.events import InboundMessage, OutboundMessage
from nanobot.bus.queue import MessageBus
@ -68,9 +70,10 @@ class BaseChannel(ABC):
"""
allow_list = getattr(self.config, "allow_from", [])
# If no allow list, allow everyone
# Fail-closed: if no allow list is configured, deny access
# Users must explicitly configure allowed senders
if not allow_list:
return True
return False
sender_str = str(sender_id)
if sender_str in allow_list:
@ -102,6 +105,10 @@ class BaseChannel(ABC):
metadata: Optional channel-specific metadata.
"""
if not self.is_allowed(sender_id):
logger.warning(
f"Access denied for sender {sender_id} on channel {self.name}. "
f"Add them to allowFrom list in config to grant access."
)
return
msg = InboundMessage(

2
pyproject.toml
View File

@ -18,7 +18,7 @@ classifiers = [
dependencies = [
"typer>=0.9.0",
"litellm>=1.0.0",
"litellm>=1.61.15",
"pydantic>=2.0.0",
"pydantic-settings>=2.0.0",
"websockets>=12.0",