Skip to content

fix: security and quality audit — 21 findings addressed#376

Open
lfarkas wants to merge 6 commits into
mainfrom
audit/security-quality-2026-04-11
Open

fix: security and quality audit — 21 findings addressed#376
lfarkas wants to merge 6 commits into
mainfrom
audit/security-quality-2026-04-11

Conversation

@lfarkas

@lfarkas lfarkas commented Apr 11, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Comprehensive security and code quality audit addressing 21 findings across 5 severity levels
  • 5 HIGH: Setup key exposure (SEC-01), GitHub Actions expression injection (SEC-02, CI-04), unpinned actions (SEC-03), AppArmor iptables gap (AA-03)
  • 11 MEDIUM: Input validation, env var restrictions, atomic file operations, exec for signal handling, AppArmor path/network gaps
  • 5 LOW/INFO: Archived action replaced, permissions hardened, dead code removed

Key Changes

  • Security: Setup key moved from CLI arg to NB_SETUP_KEY env var; expression injection vectors fixed with env: blocks; actions pinned to SHA f6f29a7; Docker image pinned by digest
  • Code Quality: Config migration with error handling; atomic resolv.conf rewrite; exec netbird up for proper S6 signal delivery
  • AppArmor: Added /sbin/** for iptables, /config/** for state files, network inet raw for ICMP, network unix stream for daemon socket
  • CI/CD: Replaced archived jitterbit/get-changed-files with native git diff; explicit permissions on all jobs
  • Config Schema: URLs validated as url? type; hostname regex enforced; env_vars require NB_ prefix (breaking change)

Breaking Changes

  • env_vars name regex changed from ^[A-Z_][A-Z0-9_]*$ to ^NB_[A-Z0-9_]+$ — users with non-NB_ prefixed variables must rename them

Not Fixed (2 findings)

  • CI-02 [LOW]: Container vulnerability scanning requires architectural discussion with HA builder
  • AA-02 [INFO]: Capabilities documentation (informational only)

Test Plan

  • shellcheck passes on run script (clean)
  • shellcheck on finish script shows only pre-existing warnings
  • All modified files verified via manual review
  • Plan compliance verified against audit plan
  • CI linter validation (will run on PR)
  • Manual testing on Home Assistant instance recommended for AppArmor changes

Full audit report: docs/reviews/CODEBASE_REVIEW_2026_04_11.md

Generated with Claude Code

Summary by CodeRabbit

  • New Features

    • Added AppArmor support for NetBird, enabling required networking, WireGuard, eBPF, and filesystem access.
  • Bug Fixes

    • Improved configuration migration to prevent accidental overwrites and report failures clearly.
    • Corrected handling of unset URL and setup-key options.
    • Added secret redaction to startup logs.
    • Made DNS configuration updates safer and repeatable.
  • Maintenance

    • Pinned build and lint helper actions to fixed versions for more consistent workflow execution.

Copilot AI review requested due to automatic review settings April 11, 2026 06:30

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR implements a broad security/quality audit remediation for the NetBird Home Assistant add-on, focusing on secret handling, CI hardening, and runtime reliability/AppArmor compatibility.

Changes:

  • Hardens the add-on startup script (safer config migration, secret handling via NB_SETUP_KEY, redacted env var logging, atomic resolv.conf update, and exec for proper signal handling).
  • Strengthens supply-chain/CI security (pins helper actions to a SHA, adds explicit job permissions, replaces archived changed-files action usage with git diff, and reduces expression-injection exposure via env:).
  • Adds an AppArmor profile and pins the upstream NetBird image by digest.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
netbird/rootfs/etc/s6-overlay/s6-rc.d/netbird/run Improves startup security/reliability (setup key handling, env var validation/redaction, atomic resolv.conf update, exec).
netbird/rootfs/etc/s6-overlay/s6-rc.d/netbird/finish Removes dead code in the finish handler.
netbird/Dockerfile Pins NetBird base image by digest for supply-chain integrity.
netbird/config.yaml Tightens schema validation for URLs/hostname and restricts env vars to NB_ prefix.
netbird/apparmor.txt Introduces an AppArmor profile with broader execution/path/network permissions needed for the add-on.
docs/reviews/CODEBASE_REVIEW_2026_04_11.md Adds the audit report documenting findings and remediations.
.github/workflows/update-changelog.yaml Moves interpolated values into env: to reduce injection risk and improves robustness.
.github/workflows/lint.yaml Adds explicit permissions and pins helper action to a SHA.
.github/workflows/builder.yaml Adds explicit permissions, pins helper actions, uses git diff for changed files, and avoids direct ${{ }} interpolation in bash logic.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines 54 to 60
bashio::log.info "Setup Key configured (hidden for security)"
options+=(--setup-key "${setup_key}")
export NB_SETUP_KEY="${setup_key}"
fi

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed: Added null check to setup_key (matching the existing log_level pattern on line 82). Now checks [ "${setup_key}" = "" ] || [ "${setup_key}" = "null" ].

Comment thread netbird/config.yaml
Comment on lines +33 to +36
admin_url: url?
management_url: url?
setup_key: str?
hostname: match(^[a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?$)?

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed: Added null checks to admin_url and management_url. Both now check for both empty string and "null" literal, consistent with how log_level is handled.

Comment thread netbird/config.yaml
Comment on lines 39 to 41
env_vars:
- name: match(^[A-Z_][A-Z0-9_]*$)
- name: match(^NB_[A-Z0-9_]+$)
value: str

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed: Updated DOCS.md env_vars section to document the NB_ prefix requirement and explain the restriction.

Comment on lines +114 to +121
if ! grep -q '# systemd-resolved' /etc/resolv.conf 2>/dev/null; then
RESOLV_TMP=$(mktemp /tmp/resolv.conf.XXXXXX)
if { printf '# systemd-resolved\n'; cat /etc/resolv.conf; } > "${RESOLV_TMP}" \
&& mv -f "${RESOLV_TMP}" /etc/resolv.conf; then
bashio::log.debug "Prepended systemd-resolved marker to /etc/resolv.conf"
else
bashio::log.error "Failed to update /etc/resolv.conf for systemd-resolved workaround"
rm -f "${RESOLV_TMP}" 2>/dev/null

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed: Added mktemp failure guard. If mktemp fails, RESOLV_TMP is set to empty and the inner block is skipped with an error log.

@lfarkas lfarkas requested a review from shuuri-labs April 11, 2026 07:06
@shadow-identity

Copy link
Copy Markdown

Nice PR, maybe after it HA safety rating of this app will be raised from "orange" 3 to be closer to "green" Tailscale's 6.

lfarkas and others added 4 commits July 10, 2026 10:26
Address 21 findings from codebase audit:
- SEC-01: Move setup key from CLI arg to NB_SETUP_KEY env var
- SEC-02/CI-04: Fix GitHub Actions expression injection vectors
- SEC-03: Pin home-assistant/actions to commit SHA
- AA-03: Add /sbin/ to AppArmor for iptables execution
- SEC-05/06: Validate URLs, enforce NB_ prefix for env vars
- SEC-07: Pin Docker image by digest
- CQ-01/02/03: Error handling, atomic resolv.conf, exec for signals
- AA-04/05/06/07: AppArmor path and network rule gaps
- CI-01/03/05: Replace archived action, add permissions, fix patterns

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add null checks for optional config fields (setup_key, admin_url,
  management_url, hostname) matching existing log_level pattern
- Guard mktemp failure in resolv.conf workaround
- Document NB_ prefix requirement for env_vars in DOCS.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@lfarkas lfarkas force-pushed the audit/security-quality-2026-04-11 branch from 2938fbb to 8c2b2a5 Compare July 10, 2026 08:28
@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The changes pin reusable workflow actions, add an AppArmor profile for NetBird, and revise startup handling for configuration migration, options, secrets, DNS configuration, and process execution.

Changes

NetBird hardening

Layer / File(s) Summary
Pin reusable workflow actions
.github/workflows/builder.yaml, .github/workflows/lint.yaml
Home Assistant helper actions are pinned to fixed commit SHAs instead of @master.
Add NetBird AppArmor policy
netbird/apparmor.txt
Adds capabilities, filesystem, network, WireGuard, eBPF, nftables, device, and logging permissions for NetBird.
Harden NetBird startup
netbird/rootfs/etc/s6-overlay/s6-rc.d/netbird/run
Updates config migration, null-value handling, setup-key wiring, secret redaction, DNS marker handling, startup logging, and process execution.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Poem

A rabbit pinned actions tight,
And fenced NetBird by day and night.
Secrets hide, configs move with care,
DNS marks the path through air.
exec hops onward—out of sight!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately reflects that this PR fixes audit findings and is directly related to the changes made.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch audit/security-quality-2026-04-11

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
netbird/apparmor.txt (2)

27-28: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Consider narrowing broad filesystem access paths.

/data/** rw and /config/** rw grant read-write access to entire directory trees. The run script only accesses /config/config.json (line 14) and /homeassistant/netbird/config.json (line 13). Narrowing these to the specific paths NetBird actually uses reduces the attack surface if the process is compromised.

For example, if only config.json needs to be read/written under /config/:

-  /config/** rw,
+  /config/config.json rw,
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@netbird/apparmor.txt` around lines 27 - 28, Replace the broad `/data/** rw`
and `/config/** rw` AppArmor rules with permissions limited to the specific
paths used by the run script: `/config/config.json` and
`/homeassistant/netbird/config.json`, preserving only the required read/write
access.

56-56: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Consider narrowing /proc/sys/net/** rw to specific sysctl paths.

Write access to all of /proc/sys/net/** allows modifying every network-related kernel parameter. If NetBird only writes to specific sysctls (e.g., /proc/sys/net/ipv4/ip_forward), restricting to those paths would limit unintended kernel parameter changes.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@netbird/apparmor.txt` at line 56, The AppArmor rule grants overly broad write
access to `/proc/sys/net/**`; replace it with write permissions for only the
specific sysctl paths NetBird modifies, such as `/proc/sys/net/ipv4/ip_forward`,
and remove the wildcard rule.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@netbird/apparmor.txt`:
- Around line 27-28: Replace the broad `/data/** rw` and `/config/** rw`
AppArmor rules with permissions limited to the specific paths used by the run
script: `/config/config.json` and `/homeassistant/netbird/config.json`,
preserving only the required read/write access.
- Line 56: The AppArmor rule grants overly broad write access to
`/proc/sys/net/**`; replace it with write permissions for only the specific
sysctl paths NetBird modifies, such as `/proc/sys/net/ipv4/ip_forward`, and
remove the wildcard rule.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8256e45a-1df1-488c-bae1-e94e136a9ff0

📥 Commits

Reviewing files that changed from the base of the PR and between 81613e9 and 8c2b2a5.

📒 Files selected for processing (4)
  • .github/workflows/builder.yaml
  • .github/workflows/lint.yaml
  • netbird/apparmor.txt
  • netbird/rootfs/etc/s6-overlay/s6-rc.d/netbird/run

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants