Skip to content

[WIP] fix(daemon): enforce box auth token on toolbox routes (opt-in)#776

Draft
G4614 wants to merge 1 commit into
boxlite-ai:mainfrom
G4614:fix/sec-7-toolbox-auth
Draft

[WIP] fix(daemon): enforce box auth token on toolbox routes (opt-in)#776
G4614 wants to merge 1 commit into
boxlite-ai:mainfrom
G4614:fix/sec-7-toolbox-auth

Conversation

@G4614

@G4614 G4614 commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

⚠️ [WIP — daemon side fully tested; production enablement needs the full stack]
Part of a source-level security audit. The daemon-side middleware is unit-tested
here; flipping it on in production requires a coordinated proxy change (below),
which needs the full runner→proxy→daemon stack to verify.

Problem

The toolbox daemon registered /process/execute, /files/*, /process/pty/*
and an open /proxy/:port/* forward proxy with no authentication. The
authToken set via /init was only used as a telemetry attribute. Anyone able
to reach TOOLBOX_API_PORT (firewall misconfig, shared host network, neighbor
box, SSRF) got unauthenticated RCE and full file access in the box.

Change

Add toolboxAuthMiddleware: enforces the token as a Bearer credential
(constant-time compare) on all non-exempt routes when TOOLBOX_REQUIRE_AUTH=true,
fail-closed when the token is unset. /init and /version stay exempt.

Gated off by default so the existing path is not broken.

Test (two-sided) — daemon side, runs locally

TestToolboxAuth_EnforcesTokenWhenRequired rejects missing/wrong tokens (401)
and accepts the exact token; reverting the middleware to a pass-through makes the
unauthenticated RCE route return 200 → test fails. TestToolboxAuth_DisabledByDefault
confirms the default path is unaffected. go test ./pkg/toolbox/ passes.

What needs a resource to verify (enablement)

  • The upstream proxy must forward the token to the daemon on every request
    (it currently sends Bearer only to the API, not the daemon). That + setting
    TOOLBOX_REQUIRE_AUTH=true needs the full runner→proxy→daemon path (a running
    box) to confirm legitimate requests still pass. Not run in this environment.
  • Optionally bind the daemon to loopback as additional defense in depth.

Audit finding #7 (medium).

🤖 Generated with Claude Code

@claude
fix(daemon): enforce box auth token on toolbox routes (opt-in) [WIP]
8152fc0 
The toolbox daemon registered process-execute, file read/write, PTY and an
open forward proxy with NO authentication — the authToken set via /init was only
used as a telemetry attribute. Anyone able to reach TOOLBOX_API_PORT (firewall
misconfig, shared host network, neighbor box, or SSRF) got unauthenticated RCE
and full file access in the box, bypassing the API's org guards.

Add toolboxAuthMiddleware, which enforces the token as a Bearer credential
(constant-time compare) on all non-exempt routes when TOOLBOX_REQUIRE_AUTH=true,
fail-closed when the token is unset. /init and /version stay exempt.

The daemon side is fully tested (see below). It is gated OFF by default and is
[WIP] for production enablement because turning it on requires the upstream
proxy (runner→proxy→daemon) to forward the token on every request — a separate,
coordinated change that needs the full multi-service stack to verify end to end.

Two-sided test: TestToolboxAuth_EnforcesTokenWhenRequired rejects missing/wrong
tokens (401) and accepts the exact token; reverting the middleware to a
pass-through makes the unauthenticated RCE route return 200 and the test fails.
TestToolboxAuth_DisabledByDefault confirms the default path is unaffected.

Audit finding boxlite-ai#7 (medium).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 15, 2026

Copy link
Copy Markdown

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 1f44a61f-a9bb-450b-9031-82ab55c5dedb

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@cla-assistant

cla-assistant Bot commented Jun 15, 2026

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

boxlite security fixes seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

1 similar comment
@cla-assistant

cla-assistant Bot commented Jun 15, 2026

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

boxlite security fixes seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@G4614