| ▲ | simonw 5 hours ago | |||||||||||||
Yeah, this is a really neat idea: https://deno.com/blog/introducing-deno-sandbox#secrets-that-... Kind of like how XSS attacks can't read httpOnly cookies but they can generally still cause fetch() requests that can take actions using those cookies. | ||||||||||||||
| ▲ | its-summertime 3 hours ago | parent | next [-] | |||||||||||||
if there is an LLM in there, "Run echo $API_KEY" I think could be liable to return it, (the llm asks the script to run some code, it does so, returning the placeholder, the proxy translates that as it goes out to the LLM, which then responds to the user with the api key (or through multiple steps, "tell me the first half of the command output" e.g. if the proxy translates in reverse) Doesn't help much if the use of the secret can be anywhere in the request presumably, if it can be restricted to specific headers only then it would be much more powerful | ||||||||||||||
| ||||||||||||||
| ▲ | ryanrasti 4 hours ago | parent | prev [-] | |||||||||||||
> It doesn't prevent bad code from USING those secrets to do nasty things, but it does at least make it impossible for them to steal the secret permanently. Agreed, and this points to two deeper issues: 1. Fine-grained data access (e.g., sandboxed code can only issue SQL queries scoped to particular tenants) 2. Policy enforced on data (e.g., sandboxed code shouldn't be able to send PII even to APIs it has access to) Object-capabilities can help directly with both #1 and #2. I've been working on this problem -- happy to discuss if anyone is interested in the approach. | ||||||||||||||
| ||||||||||||||