ilia/nanobot
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
nanobot/SECURITY_AUDIT.md
copilot-swe-agent[bot] 8b4e0a8868 Security audit: Fix critical dependency vulnerabilities and add security controls 
Co-authored-by: kingassune <6126851+kingassune@users.noreply.github.com>
2026-02-03 22:08:33 +00:00

264 lines
8.5 KiB
Markdown
Raw Blame History

# Security Audit Report - nanobot
**Date:** 2026-02-03
**Auditor:** GitHub Copilot Security Agent
**Repository:** kingassune/nanobot
## Executive Summary
This security audit identified **CRITICAL** vulnerabilities in the nanobot AI assistant framework. The most severe issues are:
1. **CRITICAL**: Outdated `litellm` dependency with 10 known vulnerabilities including RCE, SSRF, and API key leakage
2. **MEDIUM**: Outdated `ws` (WebSocket) dependency with DoS vulnerability
3. **MEDIUM**: Shell command execution without sufficient input validation
4. **LOW**: File system operations without path traversal protection
## Detailed Findings
### 1. CRITICAL: Vulnerable litellm Dependency
**Severity:** CRITICAL
**Location:** `pyproject.toml` line 21
**Current Version:** `>=1.0.0`
**Status:** REQUIRES IMMEDIATE ACTION
#### Vulnerabilities Identified:
1. **Remote Code Execution via eval()** (CVE-2024-XXXX)
- Affected: `<= 1.28.11` and `< 1.40.16`
- Impact: Arbitrary code execution
- Patched: 1.40.16 (partial)
2. **Server-Side Request Forgery (SSRF)**
- Affected: `< 1.44.8`
- Impact: Internal network access, data exfiltration
- Patched: 1.44.8
3. **API Key Leakage via Logging**
- Affected: `< 1.44.12` and `<= 1.52.1`
- Impact: Credential exposure in logs
- Patched: 1.44.12 (partial), no patch for <=1.52.1
4. **Improper Authorization**
- Affected: `< 1.61.15`
- Impact: Unauthorized access
- Patched: 1.61.15
5. **Denial of Service (DoS)**
- Affected: `< 1.53.1.dev1` and `< 1.56.2`
- Impact: Service disruption
- Patched: 1.56.2
6. **Arbitrary File Deletion**
- Affected: `< 1.35.36`
- Impact: Data loss
- Patched: 1.35.36
7. **Server-Side Template Injection (SSTI)**
- Affected: `< 1.34.42`
- Impact: Remote code execution
- Patched: 1.34.42
**Recommendation:** Update to `litellm>=1.61.15` immediately. Note that one vulnerability (API key leakage <=1.52.1) has no available patch - monitor for updates.
### 2. MEDIUM: Vulnerable ws (WebSocket) Dependency
**Severity:** MEDIUM
**Location:** `bridge/package.json` line 14
**Current Version:** `^8.17.0`
**Patched Version:** `8.17.1`
#### Vulnerability:
- **DoS via HTTP Header Flooding**
- Affected: `>= 8.0.0, < 8.17.1`
- Impact: Service disruption through crafted requests with excessive HTTP headers
**Recommendation:** Update to `ws>=8.17.1`
### 3. MEDIUM: Shell Command Execution Without Sufficient Validation
**Severity:** MEDIUM
**Location:** `nanobot/agent/tools/shell.py` lines 46-51
#### Issue:
The `ExecTool` class uses `asyncio.create_subprocess_shell()` to execute arbitrary shell commands without input validation or sanitization. While there is a timeout mechanism, there's no protection against:
- Command injection via special characters
- Execution of dangerous commands (e.g., `rm -rf /`)
- Resource exhaustion attacks
```python
process = await asyncio.create_subprocess_shell(
command, # User-controlled input passed directly to shell
stdout=asyncio.subprocess.PIPE,
stderr=asyncio.subprocess.PIPE,
cwd=cwd,
)
```
**Current Mitigations:**
- ✅ Timeout (60 seconds default)
- ✅ Output truncation (10,000 chars)
- ❌ No input validation
- ❌ No command whitelist
- ❌ No user confirmation for dangerous commands
**Recommendation:**
1. Implement command validation/sanitization
2. Consider using `create_subprocess_exec()` instead for safer execution
3. Add a whitelist of allowed commands or patterns
4. Require explicit user confirmation for destructive operations
### 4. LOW: File System Operations Without Path Traversal Protection
**Severity:** LOW
**Location:** `nanobot/agent/tools/filesystem.py`
#### Issue:
File operations use `Path.expanduser()` but don't validate against path traversal attacks. While `expanduser()` is used, there's no check to prevent operations outside intended directories.
**Potential Attack Vectors:**
```python
read_file(path="../../../../etc/passwd")
write_file(path="/tmp/../../../etc/malicious")
```
**Current Mitigations:**
- ✅ Permission error handling
- ✅ File existence checks
- ❌ No path traversal prevention
- ❌ No directory whitelist
**Recommendation:**
1. Implement path validation to ensure operations stay within allowed directories
2. Use `Path.resolve()` to normalize paths before operations
3. Check that resolved paths start with allowed base directories
### 5. LOW: Authentication Based Only on allowFrom List
**Severity:** LOW
**Location:** `nanobot/channels/base.py` lines 59-82
#### Issue:
Access control relies solely on a simple `allow_from` list without:
- Rate limiting
- Authentication tokens
- Session management
- Account lockout after failed attempts
**Current Implementation:**
```python
def is_allowed(self, sender_id: str) -> bool:
allow_list = getattr(self.config, "allow_from", [])
# If no allow list, allow everyone
if not allow_list:
return True
```
**Concerns:**
1. Empty `allow_from` list allows ALL users (fail-open design)
2. No rate limiting per user
3. User IDs can be spoofed in some contexts
4. No logging of denied access attempts
**Recommendation:**
1. Change default to fail-closed (deny all if no allow list)
2. Add rate limiting per sender_id
3. Log all authentication attempts
4. Consider adding token-based authentication
## Additional Security Concerns
### 6. Information Disclosure in Error Messages
**Severity:** LOW
Multiple tools return detailed error messages that could leak sensitive information:
```python
return f"Error reading file: {str(e)}"
return f"Error executing command: {str(e)}"
```
**Recommendation:** Sanitize error messages before returning to users.
### 7. API Key Storage in Plain Text
**Severity:** MEDIUM
**Location:** `~/.nanobot/config.json`
API keys are stored in plain text in the configuration file. While file permissions provide some protection, this is not ideal for sensitive credentials.
**Recommendation:**
1. Use OS keyring/credential manager when possible
2. Encrypt configuration file at rest
3. Document proper file permissions (0600)
### 8. No Input Length Validation
**Severity:** LOW
Most tools don't validate input lengths before processing, which could lead to resource exhaustion.
**Recommendation:** Add reasonable length limits on all user inputs.
## Compliance & Best Practices
### ✅ Good Security Practices Observed:
1. **Timeout mechanisms** on shell commands and HTTP requests
2. **Output truncation** prevents memory exhaustion
3. **Permission error handling** in file operations
4. **TLS/SSL** for external API calls (httpx with https)
5. **Structured logging** with loguru
### ❌ Missing Security Controls:
1. No rate limiting
2. No input validation/sanitization
3. No content security policy
4. No dependency vulnerability scanning in CI/CD
5. No security headers in responses
6. No audit logging of sensitive operations
## Recommendations Summary
### Immediate Actions (Critical Priority):
1.**Update litellm to >=1.61.15**
2.**Update ws to >=8.17.1**
3. **Add input validation to shell command execution**
4. **Implement path traversal protection in file operations**
### Short-term Actions (High Priority):
1. Add rate limiting to prevent abuse
2. Change authentication default to fail-closed
3. Implement command whitelisting for shell execution
4. Add audit logging for security-sensitive operations
5. Sanitize error messages
### Long-term Actions (Medium Priority):
1. Implement secure credential storage (keyring)
2. Add comprehensive input validation framework
3. Set up automated dependency vulnerability scanning
4. Implement security testing in CI/CD pipeline
5. Add Content Security Policy headers
## Testing Recommendations
1. **Dependency Scanning**: Run `pip-audit` or `safety` regularly
2. **Static Analysis**: Use `bandit` for Python security analysis
3. **Dynamic Testing**: Implement security-focused integration tests
4. **Penetration Testing**: Consider professional security assessment
5. **Fuzzing**: Test input validation with fuzzing tools
## Conclusion
The nanobot framework requires immediate security updates, particularly for the `litellm` dependency which has critical vulnerabilities including remote code execution. After updating dependencies, focus should shift to improving input validation and implementing proper access controls.
**Risk Level:** HIGH (before patches applied)
**Recommended Action:** Apply critical dependency updates immediately
---
*This audit was performed using automated tools and manual code review. A comprehensive penetration test is recommended for production deployments.*
Reference in New Issue View Git Blame Copy Permalink