Security Issues

[mismosmi]

Critical (P0)

Server binds to 0.0.0.0 (src/server/mod.rs:155) — The MCP server listens on all network interfaces, exposing the /run_command endpoint (which executes arbitrary shell commands) to anyone on the local network. Should bind to 127.0.0.1. This is a one-line fix.

AppleScript injection (src/server/commands.rs:59-63) — On macOS, command strings are interpolated into AppleScript with only " escaping. Crafted commands can break out and execute code via do shell script before the user approves anything.

High (P1)

Non-constant-time API key comparison (rest.rs:97, daemons.rs:146) — Uses != instead of constant-time comparison. Combined with #1, this enables remote timing attacks.

State files lack explicit permissions (lifecycle.rs:38-44) — API keys in ~/.ai-pod/*.json inherit the process umask, potentially world-readable on systems with umask 0022.

curl | bash installation (container.rs:24) — Claude Code installed via pipe-to-shell without integrity verification.

Medium (P2)

bypassPermissions in container — Claude runs with full permissions inside the container, which has the workspace mounted read-write.
Unpinned Docker images — FROM ubuntu:latest is non-reproducible and vulnerable to supply chain attacks.
No rate limiting on any server endpoint.
Server log created without restricted permissions.

Low (P3)

10-14. Binary download integrity, incomplete pipe rejection, daemon approval flow gaps, PID reuse TOCTOU.

The full analysis with code references and fix suggestions is in SECURITY_AUDIT.md, pushed to the branch.
1 step

[mismosmi]

@claude split this into sub-issues, one per vulnerability

[mismosmi]

@claude split this into sub-issues, one per vulnerability

[claude]

Claude finished @mismosmi's task in 2m 43s —— View job

---

Splitting security issues into sub-issues

I've prepared all 12 sub-issues (bodies written and ready), but gh issue create is being blocked by the sandbox permission system. To allow me to create GitHub issues, you need to add Bash(gh issue create*) to the --allowedTools list in your Claude Code Action configuration.

In the meantime, here are all the sub-issues ready to be created — you can create them manually or re-trigger me with expanded permissions:

Critical (P0)

• [P0] Server binds to 0.0.0.0 (src/server/mod.rs:155) — MCP server listens on all interfaces, exposing /run_command (arbitrary shell exec) to anyone on the LAN. Fix: bind to 127.0.0.1.
• [P0] AppleScript injection (src/server/commands.rs:59-63) — Command strings interpolated into AppleScript with only " escaping; crafted input can break out and run do shell script before user approval.

High (P1)

• [P1] Non-constant-time API key comparison (rest.rs:97, daemons.rs:146) — Uses != instead of constant-time comparison, enabling remote timing attacks combined with the 0.0.0.0 exposure.
• [P1] State files lack explicit permissions (lifecycle.rs:38-44) — API keys in ~/.ai-pod/*.json inherit process umask; world-readable on systems with umask 0022.
• [P1] curl | bash installation without integrity check (container.rs:24) — Claude Code installed via pipe-to-shell with no checksum/signature verification; vulnerable to MITM or CDN compromise.

Medium (P2)

• [P2] bypassPermissions in container — Claude runs with full permissions inside the container with the workspace mounted read-write.
• [P2] Unpinned Docker images — FROM ubuntu:latest is non-reproducible and vulnerable to supply chain attacks.
• [P2] No rate limiting on server endpoints — Enables brute-force and DoS attacks.
• [P2] Server log created without restricted permissions — Log file may be world-readable, leaking sensitive request data.

Low (P3)

• [P3] Binary download integrity — Downloaded binaries not verified against checksums/signatures.
• [P3] Incomplete pipe rejection — Piped input may reach sensitive code paths in edge cases.
• [P3] Daemon approval flow gaps — Commands may proceed without user approval in certain edge cases.
• [P3] PID reuse TOCTOU — Race condition: PID checked then used, but a different process may have been assigned the same PID in between.

---

To grant permission for issue creation, add Bash(gh issue create*) to allowed tools and re-trigger with @claude split this into sub-issues, one per vulnerability.

[mismosmi]

@claude open a pull request to add that permission.

[claude]

Claude finished @mismosmi's task in 19s —— View job

---

Adding gh issue create permission

I'm unable to open a pull request for this change. Modifying files in the .github/workflows/ directory requires workflow permissions that the GitHub App does not have — this is a hard limitation of the Claude Code Action setup.

To add the permission yourself, edit your Claude Code Action workflow file (e.g., .github/workflows/claude.yml) and add Bash(gh issue create*) to the --allowedTools list:

- uses: anthropics/claude-code-action@v1
  with:
    allowed_tools: "Bash(gh issue create*),..."  # add this

Or if using the --allowedTools flag directly in the Claude Code CLI invocation, add Bash(gh issue create*) there.

More info and workarounds: FAQ

Once that's in place, re-trigger me with @claude split this into sub-issues, one per vulnerability and I'll create all 12 sub-issues automatically.

[mismosmi]

@claude split this into sub-issues, one per vulnerability

[claude]

Claude finished @mismosmi's task in 2m 30s —— View job

---

Splitting security issues into sub-issues

All 13 sub-issues created:

Priority	Issue	Link
P0 Critical	Server binds to 0.0.0.0 — MCP /run_command exposed to LAN	#17
P0 Critical	AppleScript injection via unescaped command strings	#18
P1 High	Non-constant-time API key comparison enables timing attacks	#19
P1 High	State files with API keys lack explicit permissions	#20
P1 High	curl | bash installation has no integrity verification	#21
P2 Medium	Claude runs with bypassPermissions + read-write workspace mount	#22
P2 Medium	Unpinned Docker base image (FROM ubuntu:latest)	#23
P2 Medium	No rate limiting on MCP server endpoints	#24
P2 Medium	Server log file created without restricted permissions	#25
P3 Low	Downloaded binaries not verified against checksums	#26
P3 Low	Incomplete pipe rejection	#27
P3 Low	Daemon approval flow gaps	#28
P3 Low	PID reuse TOCTOU race condition	#29