Security context

What an agent needs to avoid regressing past fixes and find the next vuln in this repo.

google/nsjail
master @ d6454b4
7
Fixes
0
CVEs
HIGH
Peak severity
Highlights
Sandbox Escape: 3 prior fixes. Scrutinize any change in this area.
configs/imagemagick-convert.cfg: most-fixed (1 issue). Treat as high-risk during review.
6 high-severity fixes in this history; regressions here are high-impact.
Recurring patterns

The bug types that recur here, drawn from past fixes, not open vulnerabilities.

Sandbox Escape: Flaws in the compilation and validation of seccomp rules, such as overwriting policy strings or omitting architecture validations, can lead to complete sandbox escapes. Ensuring all policies are properly concatenated and validated prevents restricted system calls from being exposed.
SSRF: Improper validation of guest network traffic forwarding in nstun can allow forged loopback, IPv4-compatible, or v4-mapped IPv6 destination addresses to bypass security rules and trigger SSRF attacks.
Auth Bypass: Sharing file offsets of Kafel policy files across child processes can lead to incorrect sandbox application, resulting in a bypass of security restrictions. Opening policy files directly in the child processes mitigates this.