Skip to content

Avoid exposing runtime secrets via base64 subprocesses#36

Draft
Copilot wants to merge 8 commits into
mainfrom
copilot/fix-secrets-visible-in-proc-cmdline
Draft

Avoid exposing runtime secrets via base64 subprocesses#36
Copilot wants to merge 8 commits into
mainfrom
copilot/fix-secrets-visible-in-proc-cmdline

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented May 16, 2026
edited
Loading

Runtime secrets were embedded in env.sh as base64 command substitutions, making encoded values briefly visible through /proc/[pid]/cmdline and vulnerable to set -x leakage.

  • Secret material handling
    • Writes each secret to a per-execution secrets/ file with 0600 permissions.
    • Loads secrets from files in env.sh without command substitution.
IFS= read -r -d '' API_KEY < "/tmp/band-exec-.../secrets/API_KEY" || true
export API_KEY

  • Input/path hardening

    • Validates secret environment variable names before writing env lines.
    • Validates generated workdir and secret file paths before interpolation.

  • Execution ID generation

    • Uses cryptographic random bytes for execution IDs.

Copilot AI linked an issue May 16, 2026 that may be closed by this pull request
Secrets briefly visible in /proc cmdline via base64 -d subprocess #29
Open
Copilot AI changed the title [WIP] Fix secrets exposure in /proc cmdline during base64 decoding Avoid exposing runtime secrets via base64 subprocesses May 16, 2026
Copilot AI requested a review from mrjf May 16, 2026 14:27
Copilot finished work on behalf of mrjf May 16, 2026 14:27
@mrjf
Copy link
Copy Markdown
Owner

mrjf commented May 16, 2026

@copilot resolve the merge conflicts in this pull request and fix tests

Merge remote-tracking branch 'origin/main' into copilot/fix-secrets-v…
a572a7d 
…isible-in-proc-cmdline

# Conflicts:
#	packages/runtime/src/band-server.ts
Copy link
Copy Markdown
Contributor Author

Copilot AI commented May 16, 2026

@copilot resolve the merge conflicts in this pull request and fix tests

Resolved the merge conflicts with main and verified tests. Addressed in a572a7d; bun run test:unit, bun run typecheck, and bun run test pass.

Copilot finished work on behalf of mrjf May 16, 2026 16:46
@mrjf
Copy link
Copy Markdown
Owner

mrjf commented May 16, 2026

@copilot fix tests

Copy link
Copy Markdown
Contributor Author

Copilot AI commented May 16, 2026

@copilot fix tests

Fixed in 71c81df. The failing skill tests were caused by Bun rejecting the spawnSync stdin option; secret files now use a stdin pipe without exposing secret values in the command line. bun run test:unit, bun run typecheck, bun run test, and final validation pass.

Copilot finished work on behalf of mrjf May 16, 2026 17:26
@mrjf
Copy link
Copy Markdown
Owner

mrjf commented May 16, 2026

@copilot resolve conflicts

Copy link
Copy Markdown
Contributor Author

Copilot AI commented May 16, 2026

@copilot resolve conflicts

Resolved in fc8b98c. Merged latest main, resolved the band-server.ts conflict, and validated with bun run test:unit, bun run typecheck, bun run test, secret scanning, and final Code Review/CodeQL checks.

Copilot finished work on behalf of mrjf May 16, 2026 19:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrjf mrjf Awaiting requested review from mrjf

Assignees

@mrjf mrjf

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Secrets briefly visible in /proc cmdline via base64 -d subprocess

2 participants

@mrjf