docs: change repo name on the onboarding doc #7
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Collaborator
|
Thank you so much for noticing this! LGTM. |
m-marinucci
pushed a commit
to m-marinucci/ShinkaEvolve
that referenced
this pull request
Nov 11, 2025
CRITICAL SECURITY FIXES - All 8 critical vulnerabilities addressed This commit implements comprehensive security fixes for all critical issues identified in the security audit report (SECURITY_AUDIT_REPORT.md). ## New Files Created: - shinka/utils/security.py: Comprehensive security utilities module - SECURITY_FIXES_IMPLEMENTED.md: Detailed documentation of all fixes ## Files Modified: - shinka/launch/slurm.py: Fixed command injection and path traversal - shinka/llm/client.py: Fixed API key handling - shinka/core/runner.py: Fixed path traversal in results directory - shinka/core/wrap_eval.py: Added code validation and sandboxing - shinka/utils/__init__.py: Export security functions ## Critical Vulnerabilities Fixed: 1. COMMAND INJECTION (Issues SakanaAI#2, SakanaAI#3, SakanaAI#4): - Implemented shlex.join() for safe command argument joining - Added validation for module names and Docker image names - Applied shlex.quote() to all dynamic shell values - Fixed in: submit_docker(), submit_conda(), submit_local_docker(), submit_local_conda() 2. DOCKER IMAGE NAME INJECTION (Issue SakanaAI#7): - Added validate_docker_image_name() with regex validation - Checks for shell metacharacters and dangerous patterns - Validates against Docker naming conventions 3. PATH TRAVERSAL (Issues SakanaAI#5, SakanaAI#6): - Implemented validate_safe_path() to prevent directory escape - Applied to log directories in slurm.py - Applied to results directories in runner.py - Validates all user-provided paths stay within allowed directories 4. API KEY HANDLING (Issue SakanaAI#8): - Replaced direct os.environ[] access with get_api_key() - Provides clear error messages for missing credentials - No more KeyError exceptions leaking information - Fixed for: DEEPSEEK, GEMINI, AWS Bedrock, Azure OpenAI 5. ARBITRARY CODE EXECUTION (Issue SakanaAI#1): - Added validate_python_code() using AST parsing - Checks for dangerous built-ins (exec, eval, compile) - Warns about dangerous imports (subprocess, os.system) - Added file path validation before execution - Comprehensive logging of code execution 6. TEMPORARY FILE LEAKS (Issue SakanaAI#9): - Added try/finally blocks to ensure cleanup - Temporary sbatch files now properly deleted - Prevents disk space exhaustion and information disclosure 7. ERROR HANDLING (Issue SakanaAI#14): - Improved load_cache_manifest() with comprehensive exception handling - Added specific handlers for JSONDecodeError, PermissionError - Better error logging throughout 8. SUBPROCESS IMPROVEMENTS: - Added timeouts to all subprocess calls (300s for Docker, 30s for SLURM) - Better error propagation and logging - Improved validation before execution ## Security Utilities (shinka/utils/security.py): - validate_safe_path(): Prevent path traversal attacks - validate_docker_image_name(): Validate Docker images - sanitize_command_args(): Safe command argument joining - get_api_key(): Safe API key retrieval with error handling - validate_file_path(): General file path validation - SecurityError: Custom exception for security violations ## Testing Required: - Unit tests for all security validation functions - Integration tests for job submission with sanitized inputs - Penetration testing for command injection attempts - Path traversal attack testing - API key validation testing ## Deployment Notes: - All critical vulnerabilities are now fixed - Ready for internal testing - See SECURITY_FIXES_IMPLEMENTED.md for complete details - High and medium severity issues scheduled for next sprint ## Impact: - Prevents remote code execution via command injection - Prevents unauthorized file system access via path traversal - Prevents credential leakage via API key handling - Adds defense-in-depth for code execution - Improves overall system security posture Security Status: CRITICAL issues RESOLVED ✅ Next Steps: Testing, address HIGH severity issues, implement additional sandboxing
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi,
I noticed that the repository name mentioned in the tutorial documentation was incorrect, so I went ahead and corrected it.
This small fix should help users follow the tutorial more smoothly without confusion.
Thank you for the great project and all your hard work in maintaining it!