OpenHands icon indicating copy to clipboard operation
OpenHands copied to clipboard
verified publisher icon All-Hands-AI

Feat extra security for hosts

Open tofarr opened this issue 1 year ago • 0 comments

By default, disallowing access to server by any domain except localhost

  • [X] Include this change in the Release Notes. If checked, you must provide an end-user friendly description for your change below

I figure the LLM API key is the crown jewels of what an intruder would want to steal / exploit with openhands. (Assuming they can't figure a way to escape the docker sandbox).

We recently changed over from using local storage to save config including API keys to using a server side settings store. Given that the stock openhands version has no concept of users or authentication, we need to prevent access to it by default from any domain except localhost. Although the LLM keys cannot be retrieved, sessions could be created by any remote machine with network access - since docker is not firewalled by default on mac at least: image

After this change:

  • We check that each request has an approved host
  • By default, approved hosts are 'localhost' and '127.0.0.1'
  • Approved hosts can be overridden in the configuration
  • A wildcard of '*' can be used to approve any host

To run this PR locally, use the following command:

docker run -it --rm   -p 3000:3000   -v /var/run/docker.sock:/var/run/docker.sock   --add-host host.docker.internal:host-gateway   -e SANDBOX_RUNTIME_CONTAINER_IMAGE=docker.all-hands.dev/all-hands-ai/runtime:478a22e-nikolaik   --name openhands-app-478a22e   docker.all-hands.dev/all-hands-ai/openhands:478a22e

tofarr avatar Dec 26 '24 19:12 tofarr