fix(security): restrict wildcard HTTP methods in network policies#1115
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughNarrowed network policy allow rules in the sandbox: replaced wildcard HTTP method/path rules with explicit REST allowlists for Anthropic ( Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@nemoclaw-blueprint/policies/openclaw-sandbox.yaml`:
- Around line 97-101: The rules block is missing the POST /v1/embeddings entry
for the inference-api.nvidia.com sandbox; add a new rule item matching the style
of the others: - allow: { method: POST, path: "/v1/embeddings" } alongside the
existing - allow: { method: POST, path: "/v1/chat/completions" } and - allow: {
method: POST, path: "/v1/completions" } entries so both NVIDIA endpoints support
embeddings and completions.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 35d38c81-9626-4c67-bd36-35a8c7dee8ae
📒 Files selected for processing (2)
nemoclaw-blueprint/policies/openclaw-sandbox.yamltest/validate-blueprint.test.ts
|
✨ Thanks for submitting this PR with a detailed summary, it addresses a security bug with wildcard HTTP methods and proposes a fix to improve the security of NemoClaw, which could prevent potential vulnerabilities. |
Replace method: "*" wildcards with explicit method+path allowlists for inference and telemetry endpoints. A wildcard permits DELETE/PUT/PATCH to management APIs (NVIDIA Cloud Functions, Anthropic files/skills, Sentry projects) that share the same host as inference endpoints. Changes: - api.anthropic.com: POST /v1/messages, /v1/messages/batches, /v1/complete - integrate.api.nvidia.com: POST chat/completions/embeddings + GET models - inference-api.nvidia.com: POST completions + GET models - statsig.anthropic.com: add protocol: rest + enforcement: enforce, POST only - sentry.io: add protocol: rest + enforcement: enforce, POST to ingest paths Adds regression tests ensuring no endpoint uses wildcard methods and all rule-bearing endpoints have protocol: rest + enforcement: enforce. Fixes NVIDIA#1113
Signed-off-by: peteryuqin <[email protected]>
e4cf7a8 to
eb5d7cb
Compare
|
Rebased this branch onto current main and kept the restrictive allowlist intent intact. Also added the missing POST /v1/embeddings rule for inference-api.nvidia.com that came up in review. Verification run: npm test -- test/validate-blueprint.test.ts. |
|
Tests pass locally. One note: the wildcard-method regression test |
|
Hey @WuKongAI-CMU! The only failing check is DCO (Developer Certificate of Origin) meaning your commits need a Signed-off-by line. You can fix it with: git rebase --signoff HEAD~3 |
…IDIA#1115) ## Summary - Replace `method: "*"` wildcards with explicit method+path allowlists for all inference and telemetry endpoints in `openclaw-sandbox.yaml` - Add missing `protocol: rest` and `enforcement: enforce` to `statsig.anthropic.com` and `sentry.io` entries (rules existed but L7 inspection was never activated) - Add regression tests preventing future wildcard method rules and ensuring all rule-bearing endpoints have L7 enforcement enabled ## Why The policy file's own header states: *"deny by default, allow only what's needed."* Wildcard methods contradict this by permitting `DELETE`/`PUT`/`PATCH` to management APIs that share hosts with inference endpoints: | Host | Risk | Now restricted to | |------|------|-------------------| | `api.anthropic.com` | `DELETE /v1/files/*`, `DELETE /v1/skills/*` | `POST` to `/v1/messages`, `/v1/complete` | | `integrate.api.nvidia.com` | `DELETE /v2/nvcf/deployments/**` | `POST` completions/embeddings, `GET` models | | `inference-api.nvidia.com` | Same NVIDIA Cloud Functions risk | `POST` completions, `GET` models | | `statsig.anthropic.com` | Rules existed but no L7 enforcement | `POST` only, L7 now enforced | | `sentry.io` | `DELETE /api/0/projects/**` | `POST` to ingest paths only, L7 now enforced | ## Test plan - [x] `npx vitest run test/validate-blueprint.test.ts` — 24 tests pass (2 new) - [x] `npm test` — full suite 638 passed, 0 failed - [ ] Manual: verify inference still works through the restricted paths (POST to `/v1/chat/completions`) - [ ] Manual: verify telemetry (Sentry/Statsig) still reports through POST-only rules Fixes NVIDIA#1113 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Tightened external network access by replacing broad wildcard allowances with explicit method/path allowlists for third-party APIs (Anthropic, Statsig, Sentry, NVIDIA) and added endpoint metadata to improve security and reduce exposure. * **Tests** * Added validation checks to ensure no wildcard methods remain, endpoints declare protocol/enforcement, and NVIDIA endpoints include required API rules. <!-- end of auto-generated comment: release notes by coderabbit.ai --> Signed-off-by: Charan Jagwani <[email protected]> --------- Signed-off-by: peteryuqin <[email protected]> Signed-off-by: Charan Jagwani <[email protected]> Co-authored-by: cjagwani <[email protected]>
Summary
method: "*"wildcards with explicit method+path allowlists for all inference and telemetry endpoints inopenclaw-sandbox.yamlprotocol: restandenforcement: enforcetostatsig.anthropic.comandsentry.ioentries (rules existed but L7 inspection was never activated)Why
The policy file's own header states: "deny by default, allow only what's needed." Wildcard methods contradict this by permitting
DELETE/PUT/PATCHto management APIs that share hosts with inference endpoints:api.anthropic.comDELETE /v1/files/*,DELETE /v1/skills/*POSTto/v1/messages,/v1/completeintegrate.api.nvidia.comDELETE /v2/nvcf/deployments/**POSTcompletions/embeddings,GETmodelsinference-api.nvidia.comPOSTcompletions,GETmodelsstatsig.anthropic.comPOSTonly, L7 now enforcedsentry.ioDELETE /api/0/projects/**POSTto ingest paths only, L7 now enforcedTest plan
npx vitest run test/validate-blueprint.test.ts— 24 tests pass (2 new)npm test— full suite 638 passed, 0 failed/v1/chat/completions)Fixes #1113
🤖 Generated with Claude Code
Summary by CodeRabbit
Chores
Tests
Signed-off-by: Charan Jagwani [email protected]