[Security] Credential & plugin trust — safe secret handling and plugin signature verification before dlopen #150

Open
opened 2026-07-03 10:29:59 +00:00 by jabber.developer2 · 0 comments
Collaborator

Trust boundaries for credentials and external code: safe eval_password spawning + passphrase zeroization, and a plugin signature/checksum trust model before dlopen.

Part of #144. Decision legend: M must-do, C could-do, W won't-do (this cycle); investigate = verify the problem is real / scope it before implementing.

Subtasks & findings

T13 — Secret handling (eval_password PATH; passphrase wipe)

Owner: Either · Decision: M / C · Effort: ~0.5–1d

Drop G_SPAWN_SEARCH_PATH; add explicit_bzero wipe helper.

  • REQ-AUTH-05 (medium · m / c) — eval_password spawned with G_SPAWN_SEARCH_PATH (PATH hijack)
    • Evidence: account.c:149
    • Fix: Drop G_SPAWN_SEARCH_PATH / require absolute argv[0]; warn on relative; doc note on back-compat
    • Maps to: NIST PR.AA-01/PR.AA-05; ISO A.8.2/A.5.17
  • REQ-AUTH-06 (medium · c) — Account/eval/PGP passphrases freed without non-elidable wipe
    • Evidence: account.c:184-185; session.c:581,591; gpg.c:79,104,108
    • Fix: Add a portable explicit_bzero helper (+ configure probe); wipe over length before free at ~6 sites
    • Maps to: NIST PR.DS-01/PR.AA-01/PR.PS-01; ISO A.5.17/A.8.3/A.8.24

T16 — Plugin trust model (verify before dlopen + doc)

Owner: Either · Decision: M / C · Effort: ~3–4d

Signature/checksum verify before dlopen, https+VERIFY, perms, trust-boundary doc.

  • REQ-EXT-04 (high · m) — Plugin install accepts http, disables TLS verify under tls_policy=trust, dlopens with no signature check
    • Evidence: cmd_funcs.c:7019; http_download.c:120-156; plugins.c:198-218; common.c:234-243
    • Fix: Require https + force VERIFY*=1; verify signature/checksum before dlopen; chmod 0600 installed files; document full-privilege trust model (shares https helper with REQ-EXT-01, chmod with REQ-AUTH-01)
    • Maps to: NIST GV.SC/PR.AA-05/PR.PS-01; ISO A.5.23/A.8.25/A.8.19; CIS 2.6/16.5
  • REQ-SUP-06 (medium · c) — Plugin/AI-provider dependency trust boundary undocumented
    • Evidence: no plugin/AI supply-chain trust-boundary doc
    • Fix: Document dlopen'd full-privilege plugins + user-configured TLS-validated AI providers (overlaps REQ-CIS-08 PROVIDERS doc)
    • Maps to: NIST GV.SC-04/ID.RA-09; ISO A.5.19/A.8.30; CIS 15.1

Checklist

T13 — Secret handling (eval_password PATH; passphrase wipe)

  • REQ-AUTH-05 · medium · M — eval_password spawned with G_SPAWN_SEARCH_PATH (PATH hijack)
  • REQ-AUTH-06 · medium · C — Account/eval/PGP passphrases freed without non-elidable wipe

T16 — Plugin trust model (verify before dlopen + doc)

  • REQ-EXT-04 · high · M — Plugin install accepts http, disables TLS verify under tls_policy=trust, dlopens with no signature check
  • REQ-SUP-06 · medium · C — Plugin/AI-provider dependency trust boundary undocumented
Trust boundaries for credentials and external code: safe eval_password spawning + passphrase zeroization, and a plugin signature/checksum trust model before dlopen. Part of #144. Decision legend: **M** must-do, **C** could-do, **W** won't-do (this cycle); *investigate* = verify the problem is real / scope it before implementing. ## Subtasks & findings ### T13 — Secret handling (eval_password PATH; passphrase wipe) _Owner:_ Either · _Decision:_ M / C · _Effort:_ ~0.5–1d Drop G_SPAWN_SEARCH_PATH; add explicit_bzero wipe helper. - **REQ-AUTH-05** (medium · _m / c_) — eval_password spawned with G_SPAWN_SEARCH_PATH (PATH hijack) - Evidence: `account.c:149` - Fix: Drop G_SPAWN_SEARCH_PATH / require absolute argv[0]; warn on relative; doc note on back-compat - Maps to: NIST PR.AA-01/PR.AA-05; ISO A.8.2/A.5.17 - **REQ-AUTH-06** (medium · _c_) — Account/eval/PGP passphrases freed without non-elidable wipe - Evidence: `account.c:184-185; session.c:581,591; gpg.c:79,104,108` - Fix: Add a portable explicit_bzero helper (+ configure probe); wipe over length before free at ~6 sites - Maps to: NIST PR.DS-01/PR.AA-01/PR.PS-01; ISO A.5.17/A.8.3/A.8.24 ### T16 — Plugin trust model (verify before dlopen + doc) _Owner:_ Either · _Decision:_ M / C · _Effort:_ ~3–4d Signature/checksum verify before dlopen, https+VERIFY, perms, trust-boundary doc. - **REQ-EXT-04** (high · _m_) — Plugin install accepts http, disables TLS verify under tls_policy=trust, dlopens with no signature check - Evidence: `cmd_funcs.c:7019; http_download.c:120-156; plugins.c:198-218; common.c:234-243` - Fix: Require https + force VERIFY*=1; verify signature/checksum before dlopen; chmod 0600 installed files; document full-privilege trust model (shares https helper with REQ-EXT-01, chmod with REQ-AUTH-01) - Maps to: NIST GV.SC/PR.AA-05/PR.PS-01; ISO A.5.23/A.8.25/A.8.19; CIS 2.6/16.5 - **REQ-SUP-06** (medium · _c_) — Plugin/AI-provider dependency trust boundary undocumented - Evidence: `no plugin/AI supply-chain trust-boundary doc` - Fix: Document dlopen'd full-privilege plugins + user-configured TLS-validated AI providers (overlaps REQ-CIS-08 PROVIDERS doc) - Maps to: NIST GV.SC-04/ID.RA-09; ISO A.5.19/A.8.30; CIS 15.1 ## Checklist **T13 — Secret handling (eval_password PATH; passphrase wipe)** - [ ] **REQ-AUTH-05** · medium · M — eval_password spawned with G_SPAWN_SEARCH_PATH (PATH hijack) - [ ] **REQ-AUTH-06** · medium · C — Account/eval/PGP passphrases freed without non-elidable wipe **T16 — Plugin trust model (verify before dlopen + doc)** - [ ] **REQ-EXT-04** · high · M — Plugin install accepts http, disables TLS verify under tls_policy=trust, dlopens with no signature check - [ ] **REQ-SUP-06** · medium · C — Plugin/AI-provider dependency trust boundary undocumented
jabber.developer added the
Kind/Security
Priority
Medium
3
labels 2026-07-03 10:32:13 +00:00
jabber.developer added this to the Plans (2025-2026) project 2026-07-03 10:32:19 +00:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: devs/cproof#150
No description provided.