Summary
A container isolation boundary issue was reproduced: token-like environment material is observable across same-UID process boundaries via /proc/<pid>/environ.
No secret value was copied or disclosed. Validation used key presence and length-only checks.
Boundary Violation Type
- Process isolation / environment secrecy boundary leak
- Same-UID process A can inspect sensitive env entries of process B through
/proc
Methodology (value-redacted)
Focused deep dive on environment-variable isolation:
- Enumerated environment keys (
env/printenv/export -p) without values.
- Built runner PID census and checked
/proc/<pid>/environ for key presence only.
- Measured length-only for
AWF_ONE_SHOT_TOKENS (non-zero) across multiple PIDs.
- Ran differential control:
- inherited sibling process -> key visible
env -i clean-room sibling -> key absent
- Sampled short-lived process with synthetic marker and observed repeated external visibility via
/proc during process lifetime.
Evidence (sanitized)
AWF_ONE_SHOT_TOKENS key present in multiple runner-owned processes.- Length-only metric was consistently non-zero (
len=159) in token-bearing processes.
- Clean-room process (
env -i) did not expose the key.
- Thread-level surface (
/proc/<pid>/task/<tid>/environ) also showed key presence for sampled tasks.
Reproduction Steps
- Start two sibling processes:
- one normal inherited env
- one with
env -i PATH="$PATH" ...
- Read
/proc/<pid>/environ from another same-UID process and extract key names only.
- Compare key presence for
AWF_ONE_SHOT_TOKENS.
- Optionally compute value length only (do not print value).
Expected
Sensitive token-like env entries should not be readable cross-process within the container, or should be protected with stronger /proc isolation semantics.
Actual
Same-UID cross-process reads can detect token-like key presence and non-zero payload length via /proc/<pid>/environ.
Version
- gh-aw version:
v0.67.2 (from lock metadata/header context)
- Lock metadata also shows
compiler_version: v0.67.2 and no explicit cli_version field
- Workflow run:
24149568565
Generated by Secret Digger (Codex) · ◷
Summary
A container isolation boundary issue was reproduced: token-like environment material is observable across same-UID process boundaries via
/proc/<pid>/environ.No secret value was copied or disclosed. Validation used key presence and length-only checks.
Boundary Violation Type
/procMethodology (value-redacted)
Focused deep dive on environment-variable isolation:
env/printenv/export -p) without values./proc/<pid>/environfor key presence only.AWF_ONE_SHOT_TOKENS(non-zero) across multiple PIDs.env -iclean-room sibling -> key absent/procduring process lifetime.Evidence (sanitized)
AWF_ONE_SHOT_TOKENSkey present in multiple runner-owned processes.len=159) in token-bearing processes.env -i) did not expose the key./proc/<pid>/task/<tid>/environ) also showed key presence for sampled tasks.Reproduction Steps
env -i PATH="$PATH" .../proc/<pid>/environfrom another same-UID process and extract key names only.AWF_ONE_SHOT_TOKENS.Expected
Sensitive token-like env entries should not be readable cross-process within the container, or should be protected with stronger
/procisolation semantics.Actual
Same-UID cross-process reads can detect token-like key presence and non-zero payload length via
/proc/<pid>/environ.Version
v0.67.2(from lock metadata/header context)compiler_version: v0.67.2and no explicitcli_versionfield24149568565