Skip to content

Broker GetKey only checks the /tee-daemon/ prefix — any attested tenant can derive another project's key #7

Description

@amiller

proxy/dstack_proxy.py GetKey filter only requires the path to start with /tee-daemon/; it does not bind the path to the requesting project. A tenant with broker access could request:

GetKey {"path":"/tee-daemon/projects/<other>/..."}

and derive another project's key (cross-tenant key derivation).

Current check (insufficient)

KEY_PATH_PREFIX = "/tee-daemon/"
...
if method == "GetKey":
    path = body.get("path", "")
    if not path.startswith(KEY_PATH_PREFIX):
        ... deny

Proposed direction

Scope GetKey to the requesting project (only allow /tee-daemon/projects/<this-project>/...). This needs the broker to know the caller's project identity — e.g. a per-project broker socket, or caller attribution.

Cross-reference: #3, #4.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingneeds-humanRequires a human decision; loop skipsp1High prioritysecuritycross-tenant / trust-boundary flaw

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions