Skip to content

Restrict sandbox auth bypass and audit sandbox routes#40

Open
fallintoplace wants to merge 2 commits into
microsoft:mainfrom
fallintoplace:fix-sandbox-auth-exposure
Open

Restrict sandbox auth bypass and audit sandbox routes#40
fallintoplace wants to merge 2 commits into
microsoft:mainfrom
fallintoplace:fix-sandbox-auth-exposure

Conversation

@fallintoplace

@fallintoplace fallintoplace commented Jul 4, 2026

Copy link
Copy Markdown

Why

The /api/sico/sandbox prefix was globally excluded from authentication and Casbin, leaving dashboard/admin sandbox endpoints exposed.

What changed

  • Removed the blanket /api/sico/sandbox auth exclusion.
  • Kept auth bypass only for machine-to-machine endpoints:
    • POST /api/sico/sandbox/apply
    • POST /api/sico/sandbox/release
  • Added a route audit test to catch future regressions where any other /api/sico/sandbox/* route becomes public.

Security impact

This restores JWT + Casbin enforcement for control-plane routes (list/reset/assign/unassign, VNC URLs, emulator proxy streams/APIs), preventing unauthenticated access to sandbox management/proxy capabilities.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant