Tags: NVIDIA/OpenShell
Tags
fix(sandbox): track PTY state per SSH channel to fix terminal resize (#… …687) Replace flat pty_master/input_sender/pty_request fields in SshHandler with a HashMap<ChannelId, ChannelState> so each channel tracks its own PTY resources independently. This fixes window_change_request resizing the wrong PTY when multiple channels are open simultaneously. Also fixes ioctl UB in set_winsize (pass &winsize not winsize by value) and adds warn! logging for unknown channels across all handlers. Resolves #543
fix(l7): reject duplicate Content-Length headers to prevent request s… …muggling (CWE-444) (#663) * fix(l7): reject duplicate Content-Length headers to prevent request smuggling Both parse_body_length() in rest.rs and try_parse_http_request() in inference.rs silently accepted multiple Content-Length headers, overwriting with the last value seen. Per RFC 7230 Section 3.3.3, a message with multiple Content-Length headers with differing values must be rejected to prevent HTTP request smuggling (CWE-444). An attacker could send conflicting Content-Length values causing the proxy and downstream server to disagree on message boundaries. Fix: - rest.rs: detect duplicate CL headers with differing values and return an error before forwarding - inference.rs: add ParseResult::Invalid variant; detect duplicate CL headers and return Invalid with a descriptive reason - proxy.rs: handle ParseResult::Invalid by sending HTTP 400 and denying the connection Closes #637 Signed-off-by: latenighthackathon <[email protected]> * fix(l7): address review feedback on Content-Length smuggling defense - inference.rs: reject unparseable Content-Length values instead of silently defaulting to 0 via unwrap_or(0) - rest.rs: reject unparseable Content-Length values so a valid+invalid duplicate pair cannot bypass the differing-values check - rest.rs: fix Transfer-Encoding substring match (.contains("chunked") → split/trim exact match) to align with inference.rs and prevent false positives on values like "chunkedx" - proxy.rs: log parsing details server-side via tracing::warn and return generic "Bad Request" body instead of leaking internal parsing reasons to sandboxed code - Add tests for all new rejection paths in inference.rs and rest.rs Signed-off-by: latenighthackathon <[email protected]> * style(l7): apply cargo fmt formatting Signed-off-by: latenighthackathon <[email protected]> --------- Signed-off-by: latenighthackathon <[email protected]> Co-authored-by: latenighthackathon <[email protected]>
fix(cluster): add Jetson Linux 5.15-tegra platform compatibility (#568) Three issues prevent k3s from starting on kernels where the nf_tables xt extension bridge (nft_compat) is unavailable: 1. kube-router's network policy controller uses the xt_comment iptables extension and panics on startup with "Extension comment revision 0 not supported, missing kernel module?" Pass --disable-network-policy to k3s so the controller never runs. The NSSH1 HMAC handshake remains the primary sandbox SSH isolation boundary, so this does not weaken the effective security posture. 2. flannel and kube-proxy also fail to insert rules via the nf_tables iptables backend on the same kernels. Add an xt_comment probe at cluster-entrypoint startup; if the probe fails, switch to iptables-legacy via update-alternatives before any other netfilter work so that flannel, kube-proxy, and the DNS proxy all use a consistent backend. 3. The br_netfilter kernel module must be loaded on the host for iptables rules to apply to pod bridge traffic. Without it, ClusterIP DNAT (including kube-dns at 10.43.0.10) is never applied to pod packets, causing silent DNS timeouts deep in the health-check loop. Add an early check that fails fast with an actionable error message if the module is not present, instructing the user to run `sudo modprobe br_netfilter` on the host. Signed-off-by: Evan Lezar <[email protected]>
feat(sandbox): auto-detect TLS and terminate unconditionally for cred… …ential injection (#544) * feat(sandbox): auto-detect TLS and terminate unconditionally for credential injection Closes #533 The proxy now auto-detects TLS by peeking the first bytes of each connection. When TLS is detected, it terminates unconditionally — enabling credential injection and optional L7 inspection without requiring explicit 'tls: terminate' in the policy.
fix(docker): set migrations dir permissions to 755 on COPY (#475) Docker COPY preserves build-host file permissions. On hosts with a restrictive umask (e.g. 0027), the migrations directory is copied as 750 root:root, making it unreadable by the openshell user at runtime and causing the server to crash with a permission denied error on startup. Using --chmod=755 ensures the directory is always world-readable regardless of the build host umask. Signed-off-by: Evan Lezar <[email protected]>
PreviousNext