fix(sandbox): post-merge audit — exit codes, reserved dsts, root-uid, egress tests #103
Claude / Claude Code Review
completed
Apr 23, 2026 in 12m 32s
Code review found 2 important issues
Found 6 candidates, confirmed 2. See review comments for details.
Details
| Severity | Count |
|---|---|
| 🔴 Important | 2 |
| 🟡 Nit | 0 |
| 🟣 Pre-existing | 0 |
| Severity | File:Line | Issue |
|---|---|---|
| 🔴 Important | internal/sandbox/docker.go:39-51 |
Reserved-path mount check is bypassable via parent-directory mount |
| 🔴 Important | cmd/run_container.go:280-286 |
Cobra dumps usage block on every non-zero container exit (missing SilenceUsage) |
Annotations
Check failure on line 51 in internal/sandbox/docker.go
claude / Claude Code Review
Reserved-path mount check is bypassable via parent-directory mount
validateContainerDst at internal/sandbox/docker.go:276-283 only rejects mounts on a reserved path or its descendants — not on its ancestors. A user can run `agent-vault run --sandbox=container --mount /tmp/evil:/usr/local/sbin -- claude` to shadow the image's baked-in `/usr/local/sbin/entrypoint.sh` (and `init-firewall.sh`) with attacker-controlled scripts that ENTRYPOINT then runs as PID 1 (root) with NET_ADMIN/NET_RAW/SETUID/SETGID/KILL caps **before** init-firewall.sh installs the iptables eg
Check failure on line 286 in cmd/run_container.go
claude / Claude Code Review
Cobra dumps usage block on every non-zero container exit (missing SilenceUsage)
On the ExitCodeError path at `cmd/run_container.go:284`, the code sets `cmd.SilenceErrors = true` but not `cmd.SilenceUsage`. Cobra v1.10.2 gates the `UsageString()` print independently of `SilenceErrors`, so every non-zero container exit (e.g. `vault run -- pytest` returning 1/2/5, or the PR's own `exit 42` repro) will dump the full `Usage: agent-vault vault run [flags] -- <command> [args...]` help block to stderr before exiting with the right code — directly defeating the PR's stated CI motiva
Loading