# Vulnerability Summary ## Overview - **Vulnerability Type**: Security misconfiguration (default remote channel allowlist) - **Affected Component**: `ohmo` remote channel configuration - **Issue Description**: By default, the remote channel allows all sources (`allow_from` defaults to `["*"]`), leading to unauthorized access risk. ## Impact Scope - All users of the `ohmo` remote channel - Under default configuration, any user can access the remote channel - Affected files: - `ohmo/cli.py` - `src/openharness/channels/impl/manager.py` - `src/openharness/config/schema.py` - `tests/test_ohmo/test_cli.py` ## Remediation Plan 1. **Modify Default Configuration**: - Change the default value of `allow_from` from `["*"]` to `[]` (empty list) - Update the `allow_from` default value in the `BaseChannelConfig` class in `schema.py` 2. **Add Security Check**: - Add a `validate_allow_from` method in `manager.py` - When `allow_from` is empty, deny remote access and prompt the user to configure it 3. **Update Test Cases**: - Modify test cases to reflect the new default behavior - Add tests to verify secure behavior when `allow_from` is empty ## POC Code ```python # Modification in schema.py class BaseChannelConfig(CompatModel): enabled: bool = False allow_from: list[str] = Field(default_factory=lambda: []) # Previously ["*"] # ... ``` ```python # New method in manager.py def validate_allow_from(self) -> None: for name, ch in self.channels.items(): if getattr(ch.config, "allow_from", None) == []: raise SystemExit( f"Error: [{name}] has empty allow_from (denies all). " f"Set [\"*\"] to allow everyone, or add specific user IDs." ) logger.warning( f"❌ Channel has empty allow_from; remote access is denied until an operator explicitly adds " f"allowed identities or chooses [\"*\"]" ) ```