Security audit — ActDebug v0.4.0
Date: 2026-06-21 (initial) · Updated: 2026-06-21 (full remediation)
Scope: HTTP API, engines, UI, extension, scripts
Severity
Found
Fixed / mitigated
Critical
2
2
High
4
4
Medium
6
6
Low
5
5
Informational
4
4 (accepted product behavior, documented)
Total findings: 21 — all addressed.
ActDebug remains intentional code execution for CI debugging. Hardening ensures that capability stays on loopback, behind optional auth, with supply-chain and DoS guardrails.
ID
Issue
Fix
C1
Non-loopback bind → unauthenticated RCE
assertLoopbackHost(); ACTDEBUG_INSECURE_BIND=1 requires ACTDEBUG_TOKEN
C2
Localhost CSRF
Block non-loopback Origin/Referer + per-boot X-ActDebug-CSRF token on mutating requests
ID
Issue
Fix
H1
Full process.env leaked to act
lib/host-env.js allowlist
H2
Symlink sandbox escape
realpathSync + re-check
H3
DOM XSS in data-step-id
escapeHtml() on attributes
H4
Weak session IDs
crypto.randomBytes
ID
Issue
Fix
M1
YAML bomb
JSON_SCHEMA + size cap + depth/anchor limits
M2
Matrix DoS
MAX_MATRIX_LEGS (256)
M3
Step/job DoS
MAX_WORKFLOW_STEPS (500), MAX_WORKFLOW_JOBS (50)
M4
ACTDEBUG_ALLOWED_ROOTS
Requires ACTDEBUG_TRUST_EXTRA_ROOTS=1; extra roots must stay under $HOME unless ACTDEBUG_ALLOW_ANY_ROOT=1; max 8
M5
uses: supply chain
lib/action-trust.js — block third-party actions unless ACTDEBUG_TRUST_REMOTE_ACTIONS=1 or trustRemoteActions: true
M6
Docker socket privilege
Startup warning; operators must trust workflows
ID
Issue
Fix
L1
Health info disclosure
Minimal /api/health by default; full details only with valid token
L2
Path leakage in errors
sanitizeErrorMessage() on all API errors
L3
Weak rate limits
Global + expensive-op limiter (lib/rate-limit.js)
L4
Sentinel control dir races
Per-session in-container mount path containerControlMount(sessionId)
L5
Extension server URL
Localhost-only + http(s) only + actdebug.apiToken
Informational (accepted, documented)
ID
Item
Stance
I1
Arbitrary workflow execution
Core feature — user chooses YAML to run
I2
Shell mode on host
Fallback — prefer act+Docker; warning when shell engine active
I3
No TLS on localhost
Normal for local dev; use token if tunneling
I4
In-memory sessions
By design — no persistence
Optional but recommended for tunnels or insecure bind:
export ACTDEBUG_TOKEN=" $( openssl rand -hex 24) "
npm start
Clients send header: X-ActDebug-Token: <token>
Web UI prompts once and stores in sessionStorage
VS Code: actdebug.apiToken setting
When ACTDEBUG_INSECURE_BIND=1, token is mandatory .
npm test # includes test/security-audit.js (12 checks)
npm audit # 0 dependency vulnerabilities
File
Role
lib/security.js
Sandbox, limits, host bind, errors
lib/auth.js
Token auth
lib/action-trust.js
uses: allowlist
lib/host-env.js
Child process env
lib/rate-limit.js
DoS limits
test/security-audit.js
Regression tests