coily pkg uv run accepts an arbitrary /tmp script path - arbitrary code execution through the gate #10

New issue

Open

opened 2026-05-23 20:53:57 +00:00 by coilysiren · 0 comments

coilysiren commented

2026-05-23 20:53:57 +00:00

Owner

Originally filed by @coilysiren on 2026-05-21T13:33:46Z - https://github.com/coilysiren/coily/issues/312

Symptom - Audit log shows coily pkg uv run /tmp/jobs_failure2.py and coily pkg uv run /tmp/step_log.py executing successfully. coily pkg uv run PATH will run any script the caller can write to disk, including the /tmp temp tier. That is arbitrary code execution laundered through the gate, and it is not intentional.

Two audit rows from the galaxy-gen deploy investigation (commit 2ff7583):

coily://1779136638/AGPDZTVM - coily pkg uv run /tmp/jobs_failure2.py
coily://1779136648/AGPDZTWW - coily pkg uv run /tmp/jobs_failure2.py

Why this matters - The whole point of the lockdown is that privileged and code-running surfaces are constrained. uv run against an arbitrary path is a general-purpose Python interpreter. Allowing it through coily pkg means any agent that can write a file can execute it with no further gate. The temp tier is the worst case because /tmp is exactly where an agent stages scratch code.

cli-guard already shipped an engine-level arbitrary-code-execution deny (cli-guard#87). This path appears to slip past it - either coily pkg is not routed through that deny, or uv run PATH is not classified as code execution.

Expected - coily pkg uv run should not accept a free-form script path. Either deny uv run with a path argument outright, or restrict it to project-rooted paths (no /tmp, no absolute paths outside the repo). Decide alongside the cli-guard engine-level deny so the two stay consistent.

Keywords: coily pkg, uv run, arbitrary code execution, temp tier, lockdown escape hatch, cli-guard engine deny

_Originally filed by @coilysiren on 2026-05-21T13:33:46Z - [https://github.com/coilysiren/coily/issues/312](https://github.com/coilysiren/coily/issues/312)_ **Symptom** - Audit log shows `coily pkg uv run /tmp/jobs_failure2.py` and `coily pkg uv run /tmp/step_log.py` executing successfully. `coily pkg uv run PATH` will run any script the caller can write to disk, including the `/tmp` temp tier. That is arbitrary code execution laundered through the gate, and it is not intentional. Two audit rows from the galaxy-gen deploy investigation (commit `2ff7583`): ``` coily://1779136638/AGPDZTVM - coily pkg uv run /tmp/jobs_failure2.py coily://1779136648/AGPDZTWW - coily pkg uv run /tmp/jobs_failure2.py ``` **Why this matters** - The whole point of the lockdown is that privileged and code-running surfaces are constrained. `uv run` against an arbitrary path is a general-purpose Python interpreter. Allowing it through `coily pkg` means any agent that can write a file can execute it with no further gate. The temp tier is the worst case because `/tmp` is exactly where an agent stages scratch code. cli-guard already shipped an engine-level arbitrary-code-execution deny (cli-guard#87). This path appears to slip past it - either `coily pkg` is not routed through that deny, or `uv run PATH` is not classified as code execution. **Expected** - `coily pkg uv run` should not accept a free-form script path. Either deny `uv run` with a path argument outright, or restrict it to project-rooted paths (no `/tmp`, no absolute paths outside the repo). Decide alongside the cli-guard engine-level deny so the two stay consistent. Keywords: coily pkg, uv run, arbitrary code execution, temp tier, lockdown escape hatch, cli-guard engine deny

coilysiren added the

label

2026-05-31 01:52:53 +00:00

No labels

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

coilyco-bridge/coily#10

No description provided.

Rows
Columns