Skip to content

Security: FirstIntegral/actdebug

Security

docs/SECURITY.md

Security audit — ActDebug v0.4.0

Date: 2026-06-21 (initial) · Updated: 2026-06-21 (full remediation)
Scope: HTTP API, engines, UI, extension, scripts


Executive summary

Severity Found Fixed / mitigated
Critical 2 2
High 4 4
Medium 6 6
Low 5 5
Informational 4 4 (accepted product behavior, documented)

Total findings: 21 — all addressed.

ActDebug remains intentional code execution for CI debugging. Hardening ensures that capability stays on loopback, behind optional auth, with supply-chain and DoS guardrails.


Critical (fixed)

ID Issue Fix
C1 Non-loopback bind → unauthenticated RCE assertLoopbackHost(); ACTDEBUG_INSECURE_BIND=1 requires ACTDEBUG_TOKEN
C2 Localhost CSRF Block non-loopback Origin/Referer + per-boot X-ActDebug-CSRF token on mutating requests

High (fixed)

ID Issue Fix
H1 Full process.env leaked to act lib/host-env.js allowlist
H2 Symlink sandbox escape realpathSync + re-check
H3 DOM XSS in data-step-id escapeHtml() on attributes
H4 Weak session IDs crypto.randomBytes

Medium (fixed)

ID Issue Fix
M1 YAML bomb JSON_SCHEMA + size cap + depth/anchor limits
M2 Matrix DoS MAX_MATRIX_LEGS (256)
M3 Step/job DoS MAX_WORKFLOW_STEPS (500), MAX_WORKFLOW_JOBS (50)
M4 ACTDEBUG_ALLOWED_ROOTS Requires ACTDEBUG_TRUST_EXTRA_ROOTS=1; extra roots must stay under $HOME unless ACTDEBUG_ALLOW_ANY_ROOT=1; max 8
M5 uses: supply chain lib/action-trust.js — block third-party actions unless ACTDEBUG_TRUST_REMOTE_ACTIONS=1 or trustRemoteActions: true
M6 Docker socket privilege Startup warning; operators must trust workflows

Low (fixed)

ID Issue Fix
L1 Health info disclosure Minimal /api/health by default; full details only with valid token
L2 Path leakage in errors sanitizeErrorMessage() on all API errors
L3 Weak rate limits Global + expensive-op limiter (lib/rate-limit.js)
L4 Sentinel control dir races Per-session in-container mount path containerControlMount(sessionId)
L5 Extension server URL Localhost-only + http(s) only + actdebug.apiToken

Informational (accepted, documented)

ID Item Stance
I1 Arbitrary workflow execution Core feature — user chooses YAML to run
I2 Shell mode on host Fallback — prefer act+Docker; warning when shell engine active
I3 No TLS on localhost Normal for local dev; use token if tunneling
I4 In-memory sessions By design — no persistence

Authentication

Optional but recommended for tunnels or insecure bind:

export ACTDEBUG_TOKEN="$(openssl rand -hex 24)"
npm start

Clients send header: X-ActDebug-Token: <token>

  • Web UI prompts once and stores in sessionStorage
  • VS Code: actdebug.apiToken setting

When ACTDEBUG_INSECURE_BIND=1, token is mandatory.


Operator checklist

  • Keep bind on 127.0.0.1
  • Set ACTDEBUG_TOKEN if exposing port via tunnel
  • Use Docker/act engine for untrusted workflows
  • Only enable ACTDEBUG_TRUST_REMOTE_ACTIONS=1 when needed
  • Only enable ACTDEBUG_TRUST_EXTRA_ROOTS=1 with care

Tests

npm test   # includes test/security-audit.js (12 checks)
npm audit  # 0 dependency vulnerabilities

Key security files

File Role
lib/security.js Sandbox, limits, host bind, errors
lib/auth.js Token auth
lib/action-trust.js uses: allowlist
lib/host-env.js Child process env
lib/rate-limit.js DoS limits
test/security-audit.js Regression tests

There aren't any published security advisories