fix(audit): close remaining non-Windows findings from 2026-06-01 deep audit#49
Merged
Merged
Conversation
… audit Address the HIGH/MEDIUM findings the weekly deep audit surfaced that PR #46 did not cover (PR #46 only closed the two top security findings in bash.rs). Windows AppContainer findings are left for a follow-up issue. - anomaly.rs (HIGH): report_denial recovers the poisoned state mutex via into_inner() and logs, so a denial is still recorded and the Deny Fuse can trip; previously a poison silently returned, letting an actor exhaust the lock threshold. check() now also logs on poison for parity. - enforce.rs (HIGH): surface ledger.decide() failures when marking an expired approval Expired instead of discarding them; AlreadyDecided stays benign. - enforce.rs (MEDIUM): replace the dead `let _ = stderr_present` no-op with a debug log so handoff stderr omission is observable. - content_filter.rs (MEDIUM): warn when a tool payload fails to parse as JSON so a skipped scan is distinguishable from a clean one. - executors.rs (MEDIUM): extend the SSRF deny-list with RFC 6598 CGNAT (100.64.0.0/10), RFC 2544 benchmark (198.18.0.0/15), 0.0.0.0/8, and 6to4 (2002::/16) embedded-IPv4 unwrapping. Adds regression tests. - decision.rs (MEDIUM x2): drop Deserialize from GuardDecision so untrusted JSON can't synthesize an Allow; mark DecisionReason #[non_exhaustive] so cross-crate callers go through the constructors that guarantee a message.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes the HIGH/MEDIUM findings from the 2026-06-01 weekly deep audit (
docs/audits/2026-06-01.md) that PR #46 did not cover — #46 only closed the two top security findings inbash.rs(CRITICAL path-traversal + HIGH flag-form write targets). Windows AppContainer findings are tracked separately in #48.All findings were re-verified as still present in current
mainbefore fixing.Findings addressed
agent-guard-sdk/src/anomaly.rsreport_denialrecovers the poisoned state mutex viainto_inner()and logs, so a denial is still recorded and the Deny Fuse can trip — previously a poison silently returned, letting an actor exhaust the lock threshold.checknow logs on poison for parity.agent-guard-sdk/src/enforce.rsledger.decide()failures when marking an expired approvalExpiredinstead of discarding them;AlreadyDecidedstays benign.agent-guard-sdk/src/enforce.rslet _ = stderr_presentno-op with adebuglog so handoff stderr omission is observable.agent-guard-sdk/src/content_filter.rsagent-guard-sdk/src/executors.rs100.64.0.0/10), RFC 2544 benchmark (198.18.0.0/15),0.0.0.0/8, and 6to4 (2002::/16) embedded-IPv4 unwrapping.agent-guard-core/src/decision.rsDeserializefromGuardDecisionso untrusted JSON can't synthesize anAllow; markDecisionReason#[non_exhaustive]so cross-crate callers go through the constructors that guarantee a non-emptymessage.Deferred
Windows AppContainer findings (2 HIGH + 1 MEDIUM, discarded Win32 return values) → tracked in #48. They only compile under the
windows-appcontainerfeature and need a Windows host to verify.Test plan
cargo fmt --all -- --checkcargo clippy --workspace --exclude agent-guard-python --all-features -- -D warningscargo test --workspace --exclude agent-guard-python --all-features(all pass)