Skip to content

fix(security): restrict wildcard HTTP methods in network policies#1115

Merged
brandonpelfrey merged 7 commits into
NVIDIA:mainfrom
WuKongAI-CMU:fix/1113-restrict-policy-methods
Apr 7, 2026
Merged

fix(security): restrict wildcard HTTP methods in network policies#1115
brandonpelfrey merged 7 commits into
NVIDIA:mainfrom
WuKongAI-CMU:fix/1113-restrict-policy-methods

Conversation

@WuKongAI-CMU

@WuKongAI-CMU WuKongAI-CMU commented Mar 30, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Replace method: "*" wildcards with explicit method+path allowlists for all inference and telemetry endpoints in openclaw-sandbox.yaml
  • Add missing protocol: rest and enforcement: enforce to statsig.anthropic.com and sentry.io entries (rules existed but L7 inspection was never activated)
  • Add regression tests preventing future wildcard method rules and ensuring all rule-bearing endpoints have L7 enforcement enabled

Why

The policy file's own header states: "deny by default, allow only what's needed." Wildcard methods contradict this by permitting DELETE/PUT/PATCH to management APIs that share hosts with inference endpoints:

Host Risk Now restricted to
api.anthropic.com DELETE /v1/files/*, DELETE /v1/skills/* POST to /v1/messages, /v1/complete
integrate.api.nvidia.com DELETE /v2/nvcf/deployments/** POST completions/embeddings, GET models
inference-api.nvidia.com Same NVIDIA Cloud Functions risk POST completions, GET models
statsig.anthropic.com Rules existed but no L7 enforcement POST only, L7 now enforced
sentry.io DELETE /api/0/projects/** POST to ingest paths only, L7 now enforced

Test plan

  • npx vitest run test/validate-blueprint.test.ts — 24 tests pass (2 new)
  • npm test — full suite 638 passed, 0 failed
  • Manual: verify inference still works through the restricted paths (POST to /v1/chat/completions)
  • Manual: verify telemetry (Sentry/Statsig) still reports through POST-only rules

Fixes #1113

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores

    • Tightened external network access by replacing broad wildcard allowances with explicit method/path allowlists for third-party APIs (Anthropic, Statsig, Sentry, NVIDIA) and added endpoint metadata to improve security and reduce exposure.
  • Tests

    • Added validation checks to ensure no wildcard methods remain, endpoints declare protocol/enforcement, and NVIDIA endpoints include required API rules.

Signed-off-by: Charan Jagwani [email protected]

@coderabbitai

coderabbitai Bot commented Mar 30, 2026

Copy link
Copy Markdown
Contributor

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e3c60d5f-38e4-4ced-b07c-b885cba184c2

📥 Commits

Reviewing files that changed from the base of the PR and between 401cfd0 and 17ca6d5.

📒 Files selected for processing (1)
  • nemoclaw-blueprint/policies/openclaw-sandbox.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
  • nemoclaw-blueprint/policies/openclaw-sandbox.yaml

📝 Walkthrough

Walkthrough

Narrowed network policy allow rules in the sandbox: replaced wildcard HTTP method/path rules with explicit REST allowlists for Anthropic (api.anthropic.com, statsig.anthropic.com), Sentry (sentry.io), and NVIDIA (integrate.api.nvidia.com, inference-api.nvidia.com); added tests validating no wildcard methods, L7 enforcement, and NVIDIA embedding POST rules.

Changes

Cohort / File(s) Summary
OpenClaw sandbox policy
nemoclaw-blueprint/policies/openclaw-sandbox.yaml
Replaced wildcard method: "*" / path: "/**" rules with explicit REST allowlists: Anthropic api.anthropic.com limited to POST /v1/messages, POST /v1/messages/batches, GET /v1/messages/batches/**, POST /v1/complete; statsig.anthropic.com had GET "/**" removed, retaining POST-only; sentry.io restricted to POST /api/*/envelope/** and POST /api/*/store/**. NVIDIA endpoints (integrate.api.nvidia.com, inference-api.nvidia.com) tightened to explicit POST /v1/chat/completions, POST /v1/completions, POST /v1/embeddings and GET /v1/models (+ GET /v1/models/**); ensured protocol: rest and enforcement: enforce where applicable.
Policy validation tests
test/validate-blueprint.test.ts
Added three tests: (1) assert no rule uses wildcard method "*", (2) assert endpoints that declare rules also set protocol: "rest" and enforcement: "enforce", (3) assert NVIDIA endpoints include a POST /v1/embeddings rule for both integrate/inference hosts.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇
I hop through lines of tightened code,
Swapping wild winds for doors with locks,
POSTs and GETs march in tidy flocks,
No rogue DELETEs nibble our load,
I twitch my whiskers — safe paths now bode.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'fix(security): restrict wildcard HTTP methods in network policies' accurately and concisely summarizes the main change: replacing wildcard HTTP method rules with explicit allowlists.
Linked Issues check ✅ Passed All coding requirements from #1113 are met: wildcard method rules replaced with explicit allowlists, protocol/enforcement added for statsig and sentry, and regression tests added to prevent reintroduction.
Out of Scope Changes check ✅ Passed All changes are directly scoped to addressing wildcard HTTP methods in network policies (#1113). Modifications to openclaw-sandbox.yaml and regression tests in validate-blueprint.test.ts are aligned with the stated objectives.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@nemoclaw-blueprint/policies/openclaw-sandbox.yaml`:
- Around line 97-101: The rules block is missing the POST /v1/embeddings entry
for the inference-api.nvidia.com sandbox; add a new rule item matching the style
of the others: - allow: { method: POST, path: "/v1/embeddings" } alongside the
existing - allow: { method: POST, path: "/v1/chat/completions" } and - allow: {
method: POST, path: "/v1/completions" } entries so both NVIDIA endpoints support
embeddings and completions.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 35d38c81-9626-4c67-bd36-35a8c7dee8ae

📥 Commits

Reviewing files that changed from the base of the PR and between 052c86c and 9f6c106.

📒 Files selected for processing (2)
  • nemoclaw-blueprint/policies/openclaw-sandbox.yaml
  • test/validate-blueprint.test.ts

Comment thread nemoclaw-blueprint/policies/openclaw-sandbox.yaml
@wscurran wscurran added security Potential vulnerability, unsafe behavior, or access risk priority: high labels Mar 30, 2026
@wscurran

Copy link
Copy Markdown
Contributor

✨ Thanks for submitting this PR with a detailed summary, it addresses a security bug with wildcard HTTP methods and proposes a fix to improve the security of NemoClaw, which could prevent potential vulnerabilities.

@cjagwani cjagwani self-assigned this Apr 1, 2026
Replace method: "*" wildcards with explicit method+path allowlists for
inference and telemetry endpoints. A wildcard permits DELETE/PUT/PATCH
to management APIs (NVIDIA Cloud Functions, Anthropic files/skills,
Sentry projects) that share the same host as inference endpoints.

Changes:
- api.anthropic.com: POST /v1/messages, /v1/messages/batches, /v1/complete
- integrate.api.nvidia.com: POST chat/completions/embeddings + GET models
- inference-api.nvidia.com: POST completions + GET models
- statsig.anthropic.com: add protocol: rest + enforcement: enforce, POST only
- sentry.io: add protocol: rest + enforcement: enforce, POST to ingest paths

Adds regression tests ensuring no endpoint uses wildcard methods and all
rule-bearing endpoints have protocol: rest + enforcement: enforce.

Fixes NVIDIA#1113
@WuKongAI-CMU WuKongAI-CMU force-pushed the fix/1113-restrict-policy-methods branch from e4cf7a8 to eb5d7cb Compare April 2, 2026 04:28
@WuKongAI-CMU

Copy link
Copy Markdown
Contributor Author

Rebased this branch onto current main and kept the restrictive allowlist intent intact. Also added the missing POST /v1/embeddings rule for inference-api.nvidia.com that came up in review. Verification run: npm test -- test/validate-blueprint.test.ts.

@cjagwani

cjagwani commented Apr 2, 2026

Copy link
Copy Markdown
Contributor

Tests pass locally. One note: the wildcard-method regression test
catches method: "*" but doesn't cover wildcard paths other policy groups still use path: "/**" with explicit GET/POST.

@cjagwani

cjagwani commented Apr 2, 2026

Copy link
Copy Markdown
Contributor

Hey @WuKongAI-CMU! The only failing check is DCO (Developer Certificate of Origin) meaning your commits need a Signed-off-by line. You can fix it with:

git rebase --signoff HEAD~3
git push --force-with-lease
Everything else passes.

@cjagwani cjagwani closed this Apr 2, 2026
@cjagwani cjagwani reopened this Apr 2, 2026
@cjagwani cjagwani requested a review from brandonpelfrey April 7, 2026 14:34
@brandonpelfrey brandonpelfrey merged commit 6c300b3 into NVIDIA:main Apr 7, 2026
10 checks passed
@brandonpelfrey brandonpelfrey self-assigned this Apr 7, 2026
gemini2026 pushed a commit to gemini2026/NemoClaw that referenced this pull request Apr 14, 2026
…IDIA#1115)

## Summary

- Replace `method: "*"` wildcards with explicit method+path allowlists
for all inference and telemetry endpoints in `openclaw-sandbox.yaml`
- Add missing `protocol: rest` and `enforcement: enforce` to
`statsig.anthropic.com` and `sentry.io` entries (rules existed but L7
inspection was never activated)
- Add regression tests preventing future wildcard method rules and
ensuring all rule-bearing endpoints have L7 enforcement enabled

## Why

The policy file's own header states: *"deny by default, allow only
what's needed."* Wildcard methods contradict this by permitting
`DELETE`/`PUT`/`PATCH` to management APIs that share hosts with
inference endpoints:

| Host | Risk | Now restricted to |
|------|------|-------------------|
| `api.anthropic.com` | `DELETE /v1/files/*`, `DELETE /v1/skills/*` |
`POST` to `/v1/messages`, `/v1/complete` |
| `integrate.api.nvidia.com` | `DELETE /v2/nvcf/deployments/**` | `POST`
completions/embeddings, `GET` models |
| `inference-api.nvidia.com` | Same NVIDIA Cloud Functions risk | `POST`
completions, `GET` models |
| `statsig.anthropic.com` | Rules existed but no L7 enforcement | `POST`
only, L7 now enforced |
| `sentry.io` | `DELETE /api/0/projects/**` | `POST` to ingest paths
only, L7 now enforced |

## Test plan

- [x] `npx vitest run test/validate-blueprint.test.ts` — 24 tests pass
(2 new)
- [x] `npm test` — full suite 638 passed, 0 failed
- [ ] Manual: verify inference still works through the restricted paths
(POST to `/v1/chat/completions`)
- [ ] Manual: verify telemetry (Sentry/Statsig) still reports through
POST-only rules

Fixes NVIDIA#1113

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
* Tightened external network access by replacing broad wildcard
allowances with explicit method/path allowlists for third-party APIs
(Anthropic, Statsig, Sentry, NVIDIA) and added endpoint metadata to
improve security and reduce exposure.

* **Tests**
* Added validation checks to ensure no wildcard methods remain,
endpoints declare protocol/enforcement, and NVIDIA endpoints include
required API rules.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Signed-off-by: Charan Jagwani <[email protected]>

---------

Signed-off-by: peteryuqin <[email protected]>
Signed-off-by: Charan Jagwani <[email protected]>
Co-authored-by: cjagwani <[email protected]>
@wscurran wscurran added bug-fix PR fixes a bug or regression and removed priority: high labels Jun 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug-fix PR fixes a bug or regression security Potential vulnerability, unsafe behavior, or access risk

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Inference and telemetry policies allow all HTTP methods — wildcard rules permit destructive API operations

4 participants