We run a src-cli binary and exec code inside docker images on Firecracker VM in the executor service. If a user escapes the container, they could pull new images or replace the src-cli binary on the host. If the replaced src-cli binary is invoked with a shared token back to the frontend (which we do to enable privileged LSIF uploads without a sudo access token), it could send the token elsewhere or make privileged requests to gitserver.
To mitigate this risk we should ensure that the docker images and binaries have the same checksum that we expect.
We run a src-cli binary and exec code inside docker images on Firecracker VM in the executor service. If a user escapes the container, they could pull new images or replace the src-cli binary on the host. If the replaced src-cli binary is invoked with a shared token back to the frontend (which we do to enable privileged LSIF uploads without a sudo access token), it could send the token elsewhere or make privileged requests to gitserver.
To mitigate this risk we should ensure that the docker images and binaries have the same checksum that we expect.