Highlights
Auth Bypass: 17 prior fixes. Scrutinize any change in this area.
extensions/controllers/sandboxclaim_controller.go: most-fixed (9 issues). Treat as high-risk during review.
26 high-severity fixes in this history; regressions here are high-impact.
Recurring patterns
The bug types that recur here, drawn from past fixes, not open vulnerabilities.
Auth Bypass: The controller previously adopted unowned resources or updated Pods/Services without verifying owner references or namespace boundaries, allowing malicious tenants to hijack sandbox resources.
Privilege Escalation: Lack of strict validation on user-supplied metadata allowed attackers to inject privileged system labels (e.g., app=sandbox-router) or leverage default ServiceAccount token mounts to escalate privileges in the cluster.
SSRF: The sandbox router and its Python/Go client connectors were vulnerable to SSRF by automatically following redirects or dialing unchecked loopback, local, or arbitrary gateway IP addresses.