[security-audit-agent] Security Audit Findings — 2026-06-01#69
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: rosa-regional-platform-ci The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Warning Review limit reached
More reviews will be available in 57 minutes and 46 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Hi @rosa-regional-platform-ci. Thanks for your PR. I'm waiting for a openshift-online member to verify that this patch is reasonable to test. If it is, they should reply with Tip We noticed you've done this a few times! Consider joining the org to skip this step and gain Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/ok-to-test |
|
Superseded by #75 (2026-06-15 consolidated audit). |
Security Audit — rosa-regional-platform-cli
Date: 2026-06-01
Auditor: Automated security-audit-agent
Method: Full static analysis of all Go source files, Lambda handler, CLI commands, test infrastructure
Action required: Triage each finding. This PR does not contain fixes — it communicates security issues for owner review.
HIGH Findings
HIGH-1 — Lambda Handler Logs Full Event Payload to CloudWatch
File:
internal/lambda/handler.goline 38Risk: Infrastructure topology, cluster names, and OIDC issuer URLs exposed in CloudWatch logs
The Lambda handler prints the complete incoming event struct to stdout on every invocation. Lambda stdout is sent to CloudWatch Logs. The event contains sensitive infrastructure details: cluster names, OIDC issuer URLs, thumbprints, and potentially IAM role ARNs. CloudWatch Logs are often accessible to a broader set of principals than the Lambda function itself, and log data persists based on the retention policy.
Attack vector:
logs:GetLogEventspermission on the Lambda log group (e.g., via compromised developer credentials, overly permissive IAM role, or accidental CloudWatch public access).Mitigation:
HIGH-2 — SHA-1 Used for OIDC Provider Thumbprint Calculation
File:
internal/crypto/thumbprint.golines 1–54Risk: Cryptographic weakness in OIDC trust anchor calculation
The OIDC provider thumbprint is computed using SHA-1, which is cryptographically broken for collision resistance. While AWS IAM currently requires SHA-1 thumbprints for OIDC provider registration (a legacy AWS limitation), this creates a dependency on SHA-1's continued relative security for the integrity of the OIDC trust chain.
Attack vector: A SHA-1 chosen-prefix collision attack (demonstrated feasible since 2019 with SHAttered and similar research) could allow an attacker to craft a certificate with a SHA-1 thumbprint matching a legitimate OIDC CA. If AWS expands OIDC validation beyond thumbprint matching (e.g., full certificate verification), this dependency becomes more dangerous. More immediately, any tooling that re-verifies thumbprints using SHA-1 is vulnerable.
Mitigation:
MEDIUM Findings
MED-1 — Cluster Configuration Output Files Written with World-Readable Permissions (0644)
File:
internal/commands/cluster/create.golines 197, 243Risk: Local information disclosure — other users on the same host can read cluster configuration
The
--output-fileand--dry-runflags write cluster configuration JSON to disk with permission0644(owner read/write, group read, others read). The configuration contains IAM role ARNs, VPC IDs, subnet IDs, and cluster metadata — information that enables targeted reconnaissance.Note the inconsistency: the API URL config file in
internal/config/config.goline 92 correctly uses0600. The cluster output file should match this pattern.Attack vector: On a shared bastion host or developer workstation, another local user (or a compromised process running as a different user) reads the world-readable output file and extracts VPC topology and IAM role ARNs.
Mitigation: Change to
0600:MED-2 — URL Query Parameters Not Properly Encoded (Potential Injection)
File:
internal/commands/cluster/list.golines 95–98Risk: Malformed query strings if status value contains special characters; potential API-level injection
The
statusquery parameter is appended withouturl.QueryEscape()orurl.Values.Encode(). If the status value contains&,=,#, or other URL-special characters (e.g., from shell globbing, tab completion, or an attacker providing a crafted value), the resulting URL is malformed or injects additional query parameters.Attack vector: User passes
--status "active&admin=true". The API receives?status=active&admin=true, potentially matching a query parameter the API interprets differently. Depending on API routing logic, this could bypass filters or trigger unintended behavior.Mitigation:
MED-3 — API Error Responses Printed Verbatim to User Output
Files:
internal/services/cluster/service.goline 257internal/commands/cluster/list.goline 152Risk: Server-side error messages containing internal details exposed to users and logged
The full API response body is included in error messages. If the server returns stack traces, internal endpoint names, database errors, or configuration details in error responses, these are surfaced directly to the CLI user and written to any CLI output logs.
Mitigation:
error.message).MED-4 — SSRF Risk in Login Command — URL Not Restricted to External Hosts
File:
internal/commands/login/login.golines 40–66Risk: CLI can be directed to send authentication requests to internal AWS metadata service or cluster-internal endpoints
The URL validation only checks the scheme. It does not block:
http://169.254.169.254/(AWS EC2 metadata service)http://127.0.0.1:8080/(local services)http://10.0.0.1/(VPC-internal services)Attack vector:
rosactl login --url http://169.254.169.254/latest/api/token.Mitigation:
*.rosa.aws.amazon.com).LOW Findings
LOW-1 — Config Directory Created with World-Readable Permissions (0755)
File:
internal/config/config.goline 44Risk: Other local users can enumerate the existence of the
.rosactl/config directoryWhile the config file is correctly created with
0600, the directory is world-readable and world-executable (0755). On a shared system, any user can list the directory contents, see that the config file exists, and determine thatrosactlis installed and configured.Mitigation: Use
0700for the config directory:LOW-2 — Hardcoded Test Credentials in Test Infrastructure
File:
test/localstack/lambda_test.golines 65, 413–414Risk: Establishes a pattern of hardcoded credentials in the codebase; accidental promotion to production
These are dummy LocalStack credentials and not real AWS credentials. However, the pattern of hardcoding credential values in source files — even dummy ones — normalizes the practice and increases the risk that a future developer will hardcode a real credential.
Mitigation: Source test credentials from environment variables with documented defaults for local development:
LOW-3 — No Audit Logging for Security-Critical CLI Operations
Files:
internal/commands/cluster/create.go,internal/commands/cluster/delete.goRisk: No local or remote audit trail for cluster lifecycle operations
The CLI does not log security-critical operations (cluster creation, deletion, IAM role attachment) to a local audit log or structured output. In a shared environment or CI/CD context, this makes it impossible to reconstruct who ran which command, when, and with what parameters.
Mitigation: Write structured JSON audit records to
~/.rosactl/audit.log(with0600permissions) for all mutation operations. Include: timestamp, operation, user identity (from AWS STS caller identity), cluster ID, and exit status.LOW-4 — Environment Variables for AWS Region/Profile Not Validated
File:
internal/aws/session.golines 14–20Risk: Attacker with environment control can redirect AWS API calls to unintended regions
No validation that the region is a valid AWS region string. An attacker who controls the environment (e.g., via a malicious Makefile include, compromised shell profile, or container environment injection) could set
ROSACTL_REGIONto a value that causes the AWS SDK to behave unexpectedly.Mitigation: Validate the region format matches the AWS region pattern (
^[a-z]{2}-[a-z]+-\d$) before passing it to the SDK.This audit was generated by the security-audit-agent on 2026-06-01. Findings reflect the state of the repository at the time of analysis.