john/secure_agent_envs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
secure_agent_envs/CHANGELOG.md
guessthepw 26501daa4e Fix critical security vulnerabilities from audit 
- Rustup: Download script to temp file with shebang/size validation
  before execution, matching mise/ollama pattern (line 1119)

- SKIP_EXPORTS: Refactor from embedded shell commands to base64-encoded
  list decoded safely in VM, eliminating injection risk (line 478)

- Playwright symlink: Validate path is executable and within expected
  cache directory before creating system symlinks (line 1053)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-25 09:34:24 -05:00

2.8 KiB
Raw Blame History

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[0.9.0] - 2025-01-25

Security

  • Fix rustup pipe-to-shell vulnerability: now downloads to temp file with validation before execution
  • Fix SKIP_EXPORTS command injection risk: refactored to use base64-encoded list instead of shell command string
  • Fix Playwright symlink path validation: validates executable and path prefix before creating symlinks

[0.8.0] - 2025-01-25

Added

  • Project memory system using CLAUDE.md, CHANGELOG.md, and README.md
  • Versioning rules and documentation update guidelines in CLAUDE.md

[0.7.0] - 2025-01-25

Added

  • CHANGELOG.md with version history following Keep a Changelog format

[0.6.0] - 2025-01-25

Changed

  • All tools now use latest versions by default instead of pinning specific versions
  • PostgreSQL authentication uses scram-sha-256 for all TCP connections
  • Simplified tool installation by removing version pinning constraints

Security

  • VNC passwords are never stored and must be entered each time
  • Added documentation for input validation patterns and safe config loading

[0.5.0] - 2025-01-25

Security

  • Prevents shell injection through input validation and safe parameter passing
  • Replaces direct sourcing with manual config parsing to avoid code execution
  • Downloads and validates install scripts before execution instead of piping
  • Uses base64 encoding for secure VM parameter transmission
  • Adds checksum verification for binary downloads
  • Creates secure temporary directories and files with proper permissions

[0.4.0] - 2025-01-25

Changed

  • Replaces sequential installation with parallel step execution
  • Introduces real-time progress dashboard with spinner and status
  • Removes color variables to improve terminal compatibility
  • Restructures logging with per-step files for better debugging

Performance

  • Significantly reduces total setup time by running independent steps concurrently

[0.3.0] - 2025-01-25

Added

  • Dual-mode operation: orchestration on macOS, provisioning on Linux
  • Interactive component selection with visual menu interface
  • VNC desktop access for OAuth workflows and browser-based tasks

Security

  • Secure VM creation with disabled host filesystem access

[0.2.0] - 2025-01-25

Added

  • OrbStack development sandbox setup script
  • mise version manager with Node.js, Erlang, and Elixir support
  • PostgreSQL 16 with remote access configuration
  • Claude Code integration with multiple plugin marketplaces
  • Chromium browser and Playwright for automation tasks

[0.1.0] - 2025-01-25

Added

  • Initial project structure