fix(security): close API key timing-position leak and remote-UDF SSRF (spiceai#10757)

* docs: add product security audit report

Workspace-wide audit of auth, secrets, HTTP/Flight surface, AI/LLM tooling,
data connectors, and the container/build pipeline. Two critical findings
(non-constant-time API key compare; SSRF in remote UDF endpoint validation),
four high (MySQL preferred-mode TLS bypass, Vault tls_skip_verify on remote
hosts, AWS default credential chain unverified at init, no auth-failure rate
limiting), and a set of medium/low hardening items. Each finding cites
file:line and a fix.

https://claude.ai/code/session_01Xu4b9TS1UvGu4H1a7NxHKj

* fix(security): address critical findings from security audit (C1, C2)

C1 — runtime-auth API key allowlist iteration

The per-comparison code was already constant-time: ApiKey's PartialEq<str>
uses subtle::ct_eq, so per-byte timing does not leak key bytes. However,
HTTP, Flight basic, Flight bearer, and gRPC paths all used find / any to
search the configured key list, which short-circuits on the first
matching key. That leaks the *position* of the matching key (1
comparison vs N) and the existence of any match.

Replace find / any with a lookup helper that iterates over every
configured key on every call without short-circuiting; total verify time
is O(N) regardless of which key (if any) matched. Add tests covering
matches at first / middle / last positions and empty-credential
rejection on the Flight basic-auth path.

C2 — remote UDF endpoint SSRF

parse_endpoint previously validated only the URL scheme; any operator-
or LLM-influenced UDF declaration could target loopback, RFC1918, or
the cloud metadata service via 169.254.169.254 — a practical IAM
credential exfiltration path on any cloud deployment.

parse_endpoint now classifies the host:

  * IPv4 literals are rejected if loopback, RFC1918, link-local
    (covers AWS / GCP / Azure IMDS), multicast, broadcast, unspecified,
    or carrier-grade NAT (100.64.0.0/10).
  * IPv6 literals are rejected if loopback, unspecified, multicast,
    link-local (fe80::/10), unique-local (fc00::/7, covers
    fd00:ec2::254), or IPv4-mapped onto any of the above ranges.
  * A short list of conventional metadata hostnames (localhost,
    metadata, metadata.google.internal) is also blocked. Arbitrary
    hostnames are still allowed; resolving DNS at builder time
    introduces a TOCTOU/DNS-rebinding hole, so connect-time
    enforcement is tracked as follow-up work.
  * A new allow_private_endpoints: true param opts back in for trusted
    on-host services. Documented in the file header.

Tests cover the default rejection across 12 representative private
addresses (loopback, RFC1918, IMDS, IPv6 ULA, IPv4-mapped IPv6, etc.),
the explicit opt-in path, public-address acceptance, and an
invalid-opt-in-value rejection. Existing round-trip tests that bind a
mock HTTP server on 127.0.0.1 are routed through a new
with_loopback_optin helper so they keep working.

Also update docs/security_audit.md to reflect what was fixed and
correct the earlier claim that the per-comparison code was not
constant-time.

https://claude.ai/code/session_01Xu4b9TS1UvGu4H1a7NxHKj

* docs: remove security audit report

The audit report was a working artifact; the actionable items live in
the code changes (constant-time-position API key lookup, remote-UDF
SSRF allowlist) plus their tests. Remaining findings can be tracked as
issues rather than as in-tree documentation.

https://claude.ai/code/session_01Xu4b9TS1UvGu4H1a7NxHKj

* fix: address security PR review feedback

* fix: improve security checks for remote UDF endpoints and refactor IP validation logic

* fix: resolve ownership issues in IP validation logic for disallowed addresses

* fix: use CIDR allowlist for remote UDF endpoints

* fix: address final security review comments

* fix(security): reject pickle model weights by default; enforce RUSTSEC advisories in CI

Two follow-ups motivated by CVE-2026-7482 (Ollama heap OOB read in GGUF
tensor parsing). The CVE itself does not affect this codebase — Ollama
is not a dependency — but the bug class (malformed binary blob handed
to a complex parser) does apply to several places spiceai consumes.

1. Pickle weight rejection
   --------------------------------------------------------------------
   The .pt / .pth / .ckpt / .bin extensions are conventionally Python
   pickle in PyTorch's ecosystem, and pickle deserialization is RCE by
   design. The local-LLM file pipeline previously accepted whatever the
   operator pointed at and handed it straight to mistralrs's loader.
   Operators commonly download model weights from third-party Hugging
   Face repos, so a malicious .bin in such a repo would have run
   arbitrary Rust process code at load time.

   Add `llms::chat::reject_unsafe_weight_formats` and call it from
   `runtime::model::chat::file` before invoking `create_local_model`.
   The check refuses pickle-class extensions by default and accepts a
   new `params.trust_pickle: true` opt-in for operators who control
   the source. The check is case-insensitive and covers the four
   conventional pickle extensions. Five unit tests cover rejection,
   acceptance of safe formats, opt-in, case-insensitivity, and
   extensionless paths.

2. Enforce RUSTSEC advisories in CI
   --------------------------------------------------------------------
   The `[advisories]` block in deny.toml was schema-pre-v2 and CI only
   ran `cargo deny check licenses`. Upgrade the block to `version = 2`
   (cargo-deny v2 default semantics: vulnerability / unmaintained /
   unsound / notice all fail; yanked already explicitly denied), and
   add a second step in `license_check.yml` that runs
   `cargo deny check advisories`.

   This intentionally turns on enforcement without pre-populating
   `ignore` — the workspace currently has known findings (yanked
   crates, unmaintained warnings, and a small number of actual CVEs in
   transitive deps) that the team will want to triage explicitly rather
   than silently bypass.

https://claude.ai/code/session_01Xu4b9TS1UvGu4H1a7NxHKj

* fix: tighten remote UDF endpoint allowlist handling

* fix: correct typo in comment regarding PyTorch pickle file extensions

* fix: update dependencies in Cargo.lock and enhance ApiKeyAuth implementation

* fix: ungate Path import so reject_unsafe_weight_formats builds without local_llm

reject_unsafe_weight_formats and the in-module tests use Path / PathBuf
unconditionally, but the imports were gated behind feature = "local_llm".
The runtime integration test build (no local_llm feature) failed with
E0425 "cannot find type `Path` in this scope". Ungate Path, gate PathBuf
to local_llm or test so it isn't unused in lib builds.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix: downgrade getrandom dependency from 0.4.1 to 0.3.4

* fix: filter remote UDF DNS results

* fix: update cargo-deny installation command and improve IP address checks for non-public endpoints

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* fix: specify cargo-deny version and improve error messages in remote functions

* fix: update global IP address check to allow 192.0.0.0/24 range

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

Author: 3 people

.github/workflows/license_check.yml

@@ -52,7 +52,10 @@ jobs:
         uses: ./.github/actions/setup-rust
 
       - name: Install cargo-deny
-        run: cargo install cargo-deny || true
+        run: cargo install cargo-deny --version 0.19.6 --locked --force
 
       - name: Check Rust Licenses
         run: cargo deny check licenses
+
+      - name: Check Rust Advisories
+        run: cargo deny check advisories

Cargo.lock

@@ -24,9 +24,8 @@ use secrecy::SecretString;
 use snafu::ResultExt;
 use snafu::Snafu;
 use spicepod::component::model::ModelSource;
-#[cfg(feature = "local_llm")]
 use std::path::Path;
-#[cfg(feature = "local_llm")]
+#[cfg(any(feature = "local_llm", test))]
 use std::path::PathBuf;
 use std::pin::Pin;
 #[cfg(feature = "local_llm")]
@@ -157,6 +156,14 @@ pub enum Error {
     ))]
     ModelFileMissing { file_url: String },
 
+    #[snafu(display(
+        "Refusing to load model weight file '{path}': '.{extension}' is a Python pickle format \
+         that executes arbitrary code on load (CVE-class: untrusted pickle deserialization → RCE). \
+         Convert the model to `.safetensors` or `.gguf`, or set `params.trust_pickle: true` if the \
+         file source is fully trusted."
+    ))]
+    UnsafePickleWeight { path: String, extension: String },
+
     #[snafu(display(
         "Invalid parameters for model '{model}': {source} Verify the model parameters, and try again."
     ))]
@@ -759,3 +766,91 @@ pub async fn create_local_model(
     .await
     .map(|x| Arc::new(x) as Arc<dyn Chat>)
 }
+
+/// File extensions that are conventionally Python pickle by `PyTorch`'s
+/// ecosystem and that are unsafe to load from any source the operator
+/// does not fully trust. Pickle deserialization is RCE by design.
+const PICKLE_WEIGHT_EXTENSIONS: &[&str] = &["bin", "pt", "pth", "ckpt"];
+
+/// Reject any weight path whose extension lands in [`PICKLE_WEIGHT_EXTENSIONS`]
+/// unless the caller has explicitly opted in via `trust_pickle = true`.
+///
+/// `weights` is expected to be the same slice of paths that will be handed
+/// to the model loader. Returns [`Error::UnsafePickleWeight`] on the first
+/// match, so the message identifies the offending file.
+///
+/// # Errors
+///
+/// Returns [`Error::UnsafePickleWeight`] when `trust_pickle` is `false`
+/// and any path has a pickle-class extension.
+pub fn reject_unsafe_weight_formats<P: AsRef<Path>>(
+    weights: &[P],
+    trust_pickle: bool,
+) -> Result<()> {
+    if trust_pickle {
+        return Ok(());
+    }
+    for w in weights {
+        let path = w.as_ref();
+        if let Some(ext) = path.extension().and_then(|e| e.to_str()) {
+            let ext = ext.to_ascii_lowercase();
+            if PICKLE_WEIGHT_EXTENSIONS.contains(&ext.as_str()) {
+                return Err(Error::UnsafePickleWeight {
+                    path: path.to_string_lossy().into_owned(),
+                    extension: ext,
+                });
+            }
+        }
+    }
+    Ok(())
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn rejects_pickle_extensions_by_default() {
+        for ext in PICKLE_WEIGHT_EXTENSIONS {
+            let path = PathBuf::from(format!("/models/pytorch_model.{ext}"));
+            let err = reject_unsafe_weight_formats(&[path], false)
+                .expect_err(&format!("expected rejection for .{ext}"));
+            assert!(matches!(err, Error::UnsafePickleWeight { .. }));
+        }
+    }
+
+    #[test]
+    fn allows_safe_extensions() {
+        for ext in ["safetensors", "gguf", "ggml", "onnx"] {
+            let path = PathBuf::from(format!("/models/weights.{ext}"));
+            reject_unsafe_weight_formats(&[path], false)
+                .unwrap_or_else(|e| panic!("expected ok for .{ext}, got {e:?}"));
+        }
+    }
+
+    #[test]
+    fn opt_in_allows_pickle_extensions() {
+        let paths = [
+            PathBuf::from("/m/a.pt"),
+            PathBuf::from("/m/pytorch_model.bin"),
+        ];
+        reject_unsafe_weight_formats(&paths, true).expect("opt-in should allow pickle");
+    }
+
+    #[test]
+    fn extension_check_is_case_insensitive() {
+        let path = PathBuf::from("/m/Pytorch_Model.PT");
+        let err = reject_unsafe_weight_formats(&[path], false)
+            .expect_err("case-insensitive .PT must be rejected");
+        match err {
+            Error::UnsafePickleWeight { extension, .. } => assert_eq!(extension, "pt"),
+            other => panic!("unexpected error: {other:?}"),
+        }
+    }
+
+    #[test]
+    fn extensionless_path_is_ignored() {
+        let path = PathBuf::from("/m/no_extension_here");
+        reject_unsafe_weight_formats(&[path], false).expect("no extension → no rejection");
+    }
+}