fix: restrict /proc/self/environ and docker-compose.yml secret exposure #620
Description
Summary
PR #607 adds runtime configuration for the one-shot token library (AWF_ONE_SHOT_TOKENS), which addresses secret leaking via getenv() (path 1 of the attack surface identified in githubnext/gh-aw-security#62).
However, two additional exposure paths remain unmitigated:
1. /proc/self/environ bypasses LD_PRELOAD
The kernel exposes all environment variables of a process through /proc/self/environ. Reading this file directly bypasses getenv() entirely, so the LD_PRELOAD one-shot token library cannot intercept it.
cat /proc/self/environ | tr '\0' '\n' | grep COPILOT_GITHUB_TOKEN2. Docker Compose file contains plaintext tokens
AWF writes sensitive tokens (e.g., COPILOT_GITHUB_TOKEN) in plaintext into the generated docker-compose.yml at /tmp/awf-*/docker-compose.yml. Since the host filesystem is mounted into the container at /host, the agent can read:
cat /host/tmp/awf-*/docker-compose.yml | grep -A 2 COPILOT_GITHUB_TOKENProposed Mitigations
-
/proc/self/environ: Mount procfs with restricted access, or overwrite sensitive env vars in the process environment before executing the agent command (after the legitimate consumer has read them). -
Docker Compose file: Either:
- Remove/redact sensitive values from the compose file after containers start
- Use Docker secrets instead of environment variables
- Restrict the
/hostmount to exclude/tmp/awf-* - Make the workdir path inaccessible from within the container
Related
- PR feat: add runtime configuration for one-shot token protection via AWF_ONE_SHOT_TOKENS #607: feat: add runtime configuration for one-shot token list via
AWF_ONE_SHOT_TOKENS - githubnext/gh-aw-security#62:
COPILOT_GITHUB_TOKENexposed in Docker Compose environment configuration