Skip to content

fix: route unknown-host machine unconstrained_delegation vulns to LLM exploit#314

Merged
l50 merged 1 commit into
feat/more-attack-covfrom
feat/dreadgoad-uc-unknown-host
May 14, 2026
Merged

fix: route unknown-host machine unconstrained_delegation vulns to LLM exploit#314
l50 merged 1 commit into
feat/more-attack-covfrom
feat/dreadgoad-uc-unknown-host

Conversation

@l50
Copy link
Copy Markdown
Contributor

@l50 l50 commented May 13, 2026
edited
Loading

Key Changes:

  • Prevent silent dropping of machine-account unconstrained delegation vulns when host IP is unknown
  • Route unknown-host machine accounts to LLM exploit with distinct deduplication keys
  • Ensure deterministic coerce chain is used only when machine host IP is known
  • Added targeted tests to cover new fallback and host resolution logic

Added:

  • LLM fallback routing for machine accounts without known host IPs, assigning a unique dedup key to avoid collisions and ensuring exploits are attempted
  • Tests for unknown-host and known-host machine account scenarios, confirming correct fallback and host resolution behavior

Changed:

  • Host IP resolution logic for machine accounts now distinguishes between known and unknown hosts, with explicit fallback handling
  • Credentials and deduplication logic updated to support new fallback paths and avoid work item loss
  • Self-coerce loop prevention applied only to deterministic coerce chain, bypassed for LLM fallback paths

Removed:

  • Implicit dropping of machine-account unconstrained delegation vulns when host IP is missing, ensuring all valid work is surfaced

@l50
fix: prevent silent drop of machine-account unconstrained vulns with …
6fb1b70 
…missing host

**Added:**

- Added fallback logic to route machine-account unconstrained vulns with unknown host IP to LLM exploit with distinct dedup key, ensuring these work items are not silently dropped
- Added tests verifying LLM fallback for machine accounts with unknown hosts and that resolved hosts still use deterministic coerce path

**Changed:**

- Refactored host IP resolution and work item selection logic to distinguish between machine accounts with and without known host IPs, routing appropriately
- Updated comments for clarity on fallback and routing logic for unconstrained delegation vulnerabilities
@codecov
Copy link
Copy Markdown

codecov Bot commented May 13, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.70%. Comparing base (1d559f3) to head (6fb1b70).
⚠️ Report is 1 commits behind head on feat/more-attack-cov.

Additional details and impacted files

Impacted file tree graph

@@                  Coverage Diff                  @@
##           feat/more-attack-cov     #314   +/-   ##
=====================================================
  Coverage                 77.69%   77.70%           
=====================================================
  Files                       439      439           
  Lines                    121368   121414   +46     
=====================================================
+ Hits                      94294    94340   +46     
  Misses                    27074    27074
Files with missing lines Coverage Δ
...s-cli/src/orchestrator/automation/unconstrained.rs 90.74% <100.00%> (+0.40%) ⬆️
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@l50 l50 merged commit b08d333 into feat/more-attack-cov May 14, 2026
12 checks passed
@l50 l50 deleted the feat/dreadgoad-uc-unknown-host branch May 14, 2026 02:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@l50