Architecture: hero_aibroker_services Python execution sandbox has no isolation #117

New issue

Open

opened 2026-05-11 23:08:58 +00:00 by thabeta · 0 comments

thabeta commented

2026-05-11 23:08:58 +00:00

Owner

Severity: Critical

Location

crates/hero_aibroker_services/src/services/hero/executor.rs — PythonExecutor

Finding

The Python executor runs arbitrary scripts with minimal safeguards:

pub async fn execute(&self, script: &str) -> Result<ExecutionResult> {
    // Write script to a temp file
    let script_path = self.base_dir.join("scripts/current_script.py");
    tokio::fs::write(&script_path, script).await?;

    let output = tokio::time::timeout(
        std::time::Duration::from_secs(self.max_execution_secs),
        Command::new(&python_path)
            .arg(&script_path)
            .current_dir(self.base_dir.join("scripts"))
            .output(),
    ).await??;
    // ...
}

No seccomp or AppArmor profiles
No network namespace isolation
No filesystem sandbox (script can access entire host filesystem)
No resource limits (memory, CPU, file descriptors)
Script is written to a predictable path (current_script.py)
No capability dropping
Environment inherits all broker environment variables

Attack Scenario

An LLM generates a script that reads /etc/passwd or other sensitive files
Script accesses other users' home directories
Script installs persistent backdoors
Script consumes all available memory/CPU
Script makes network requests to exfiltrate data

Recommendation

Use firejail, bwrap, or seccomp profiles for sandboxing
Network namespace isolation (no network access by default)
Filesystem sandbox (read-only root, writable temp dir only)
Resource limits via cgroups (memory, CPU, FD count)
Randomize script paths to prevent race conditions
Drop all capabilities before execution
Audit and whitelist allowed Python modules

## Severity: Critical ## Location `crates/hero_aibroker_services/src/services/hero/executor.rs` — `PythonExecutor` ## Finding The Python executor runs arbitrary scripts with minimal safeguards: ```rust pub async fn execute(&self, script: &str) -> Result<ExecutionResult> { // Write script to a temp file let script_path = self.base_dir.join("scripts/current_script.py"); tokio::fs::write(&script_path, script).await?; let output = tokio::time::timeout( std::time::Duration::from_secs(self.max_execution_secs), Command::new(&python_path) .arg(&script_path) .current_dir(self.base_dir.join("scripts")) .output(), ).await??; // ... } ``` - No seccomp or AppArmor profiles - No network namespace isolation - No filesystem sandbox (script can access entire host filesystem) - No resource limits (memory, CPU, file descriptors) - Script is written to a predictable path (`current_script.py`) - No capability dropping - Environment inherits all broker environment variables ## Attack Scenario - An LLM generates a script that reads `/etc/passwd` or other sensitive files - Script accesses other users' home directories - Script installs persistent backdoors - Script consumes all available memory/CPU - Script makes network requests to exfiltrate data ## Recommendation - Use firejail, bwrap, or seccomp profiles for sandboxing - Network namespace isolation (no network access by default) - Filesystem sandbox (read-only root, writable temp dir only) - Resource limits via cgroups (memory, CPU, FD count) - Randomize script paths to prevent race conditions - Drop all capabilities before execution - Audit and whitelist allowed Python modules