Results from LLM-based security review

[brendancol]

Hey @remi-braun, hope this find you well, just passing along two findings from a security scan I ran on eoreader using a popular LLM.

Below is LLM generated descriptions of the vulnerabilities.s

---

1. XXE in STAC metadata XML parsing (stac_product.py:294)

def _read_mtd_xml_stac(self, mtd_url, **kwargs) -> (etree._Element, dict):
    ...
    mtd_str = self.read_href(mtd_url, clients=self.clients)
    root = etree.fromstring(mtd_str)

mtd_url is a metadata href taken from a STAC Item that the user fetched over the network. The bytes returned by read_href are therefore attacker-influenced.

Reach

Triggered through the documented entry point:

1. User calls Reader().open(url) where url points to a STAC catalog or item (reader.py:605-620).
2. The JSON is parsed into a pystac.Item. Asset hrefs become mtd_url.
3. read_href(mtd_url) fetches the metadata XML.
4. etree.fromstring(mtd_str) parses with entity resolution and network fetches enabled.

This affects every STAC product variant that inherits from StacProduct: s2_e84, s2_mpc, hls, s1_rtc_asf, s1_rtc_mpc, and any future STAC subclass.

Impact

A hostile STAC catalog (or a hostile URL pasted by the user) can ship XML that:

• Reads local files via <!ENTITY xxe SYSTEM \"file:///etc/passwd\"> and exposes them through the parsed product attributes.
• SSRFs internal services via entity URLs (cloud metadata endpoints, RFC1918 hosts).
• Exhausts memory through entity expansion (billion laughs).

---

2. Security: eval() reachable on unvalidated input via public compute_index API (bands/indices.py:151)

eoreader/bands/indices.py:151 calls eval(index)(bands) where index is a function parameter. The function compute_index is publicly exported (eoreader/bands/__init__.py:98, 114). A caller that passes an attacker-controlled string to compute_index gets remote code execution.

Vulnerable code

def compute_index(index: str, bands: dict, **kwargs) -> xr.DataArray:
    ...
    if hasattr(spyndex.indices, index):
        ...
    elif index in EOREADER_DERIVATIVES:
        ...
    else:
        index_arr = eval(index)(bands)

The else branch is reached when the input string is not in the spyndex catalog and not in EOREADER_DERIVATIVES. There is no allowlist gating the eval call inside compute_index itself.

Reach

The internal call path through Product.load(...) is safe: product.py:1178 filters band names through is_index(band) (which checks str(index) in get_all_index_names()) before they reach compute_index.

The risk is the public function. compute_index is exported in eoreader.bands.__all__ and documented as taking an index name string. A downstream application that passes user-controlled strings (config file, web request, CLI arg, notebook input) without re-implementing is_index first gets RCE. A payload such as __import__('os').system('...') fails the hasattr and dict-membership checks and falls into eval.

Impact

Arbitrary code execution in the host process whenever an unfiltered string reaches compute_index. The function's docstring does not warn that it evaluates strings, so a developer reading the API docs has no signal that pre-validation is required.

[brendancol]

Also, here is the prompt I used during the scan if you are interested:

Security Sweep: Dispatch subagents to audit modules for security vulnerabilities

Audit eoreader modules for security issues specific to a satellite-product
reader: archive extraction (zip / tar / SAFE bundles), XML parsing, file
path injection, HTTP / STAC fetching, credential exposure via env vars,
unbounded allocations on adversarial product metadata, and
permissive deserialization. Subagents fix CRITICAL, HIGH, and MEDIUM
severity issues via /rockout.

Optional arguments: $ARGUMENTS
(e.g. --top 3, --exclude s2,landsat, --only-optical, --reset-state)

---

Step 1 -- Gather module metadata via git and grep

Enumerate candidate modules:

Optical product modules: Every .py file directly under
eoreader/products/optical/, excluding __init__.py.

SAR product modules: Every .py file directly under
eoreader/products/sar/, excluding __init__.py.

Base / core modules: eoreader/products/product.py,
eoreader/products/custom_product.py, eoreader/products/stac_product.py,
eoreader/reader.py, eoreader/utils.py.

Subpackages: eoreader/bands/ and eoreader/stac/. Treat each as a
single audit unit. List all .py files within (excluding __init__.py).

For every module, collect:

Field	How
last_modified	git log -1 --format=%aI -- <path> (subpackages: most recent file)
total_commits	git log --oneline -- <path> | wc -l
loc	wc -l < <path> (subpackages: sum all files)
has_archive_io	grep file(s) for zipfile, tarfile, ZipFile, TarFile, extractall, extract(
has_xml_parse	grep for lxml, etree, ElementTree, fromstring, parse( on XML/HTML
has_file_io	grep for open(, os.path, pathlib, Path(, AnyPath
has_http	grep for requests, httpx, urlopen, pystac_client, pystac.read_file
runs_subprocess	grep for subprocess, os.system, shell=True, os.popen
reads_env	grep for os.environ, os.getenv, getenv(

Store results in memory -- do NOT write intermediate files.

Step 2 -- Load inspection state

Read .claude/sweep-security-state.csv.

If it does not exist, treat every module as never-inspected.

If $ARGUMENTS contains --reset-state, delete the file and treat
everything as never-inspected.

State file schema (one row per module):

module,last_inspected,issue,severity_max,categories_found,followup_issues,notes
s2,2026-04-10,1150,HIGH,1;2,,"optional single-line notes"

• categories_found and followup_issues are semicolon-separated integer
  lists (empty when null).
• notes is CSV-quoted; newlines must be flattened to spaces on write so
  every module stays exactly one line.

The file is registered with merge=union in .gitattributes, so two
parallel sweeps touching different modules auto-merge without conflict.
A transient duplicate-row state can occur after a merge if both branches
modified the same module; the read-update-write cycle in step 5 keys rows
by module and last-write-wins, so the next write cleans up.

Step 3 -- Score each module

days_since_inspected = (today - last_inspected).days   # 9999 if never
days_since_modified  = (today - last_modified).days

score = (days_since_inspected * 3)
      + (has_archive_io * 500)
      + (runs_subprocess * 450)
      + (has_xml_parse * 350)
      + (has_http * 300)
      + (has_file_io * 200)
      + (reads_env * 100)
      + (loc * 0.05)
      - (days_since_modified * 0.2)

Rationale:

• Archive extraction is the highest-blast-radius vector (zip-slip on SAFE
  bundles, tar-slip on bundled archives) (500)
• subprocess (SNAP-GPT, GDAL CLI tools) is a command-injection vector (450)
• XML parsing on third-party data (XXE, billion-laughs) (350)
• HTTP / STAC fetching (server-controlled responses; URL handling) (300)
• File path handling with user input (path traversal) (200)
• Env var reading (credential / config exposure) (100)
• Larger files have more surface area (0.05 per line)
• Recently modified slightly deprioritized

Step 4 -- Apply filters from $ARGUMENTS

• --top N -- only audit the top N modules (default: 3)
• --exclude mod1,mod2 -- remove named modules from the list
• --only-optical -- restrict to eoreader/products/optical/*.py
• --only-sar -- restrict to eoreader/products/sar/*.py
• --only-base -- restrict to product.py, custom_product.py,
  stac_product.py, reader.py, utils.py
• --only-stac -- restrict to eoreader/stac/, stac_product.py,
  any *_e84_product.py / *_mpc_product.py
• --only-bands -- restrict to eoreader/bands/

Step 5 -- Print the ranked table and launch subagents

5a. Print the ranked table

Print a markdown table showing ALL scored modules (not just selected ones),
sorted by score descending:

| Rank | Module       | Score  | Last Inspected | Archive | XML | HTTP | Subproc | LOC  |
|------|--------------|--------|----------------|---------|-----|------|---------|------|
| 1    | s2           | 30600  | never          | yes     | yes | no   | no      | 1400 |
| 2    | reader       | 30300  | never          | yes     | no  | yes  | no      |  800 |
| ...  | ...          | ...    | ...            | ...     | ... | ...  | ...     | ...  |

5b. Launch subagents for the top N modules

For each of the top N modules (default 3), launch an Agent in parallel using
isolation: "worktree" and mode: "auto". All N agents must be dispatched
in a single message so they run concurrently.

Each agent's prompt must be self-contained and follow this template (adapt
the module name, paths, and metadata):

You are auditing the eoreader module "{module}" for security vulnerabilities.

This module has {commits} commits and {loc} lines of code.

Read these files: {module_files}

Also read:

• eoreader/utils.py (shared helpers, env var handling)
• eoreader/products/product.py (the abstract base, common file-resolution
  patterns)
• eoreader/env_vars.py (which env vars eoreader reads)
• eoreader/exceptions.py (the exception types raised by validation)

Your task:

1. Read all listed files thoroughly, including any matching tests under
   ci/on_push/ and ci/weekly/ so you understand expected behavior.

2. Audit for these 7 security categories. For each, look for the specific
   patterns described. Only flag issues ACTUALLY present in the code.

   Cat 1 - Archive Extraction (zip-slip / tar-slip)

   • zipfile.ZipFile.extractall() or tarfile.TarFile.extractall() on
     a downloaded / user-provided archive without first validating that
     each member's resolved path stays inside the target directory
   • extract(member) where member.filename is taken from the archive
     without os.path.realpath canonicalization vs the destination
   • Symlink members allowed without filtering
   • SAFE / DIMAP / Theia bundles unzipped under user-controlled paths
     Severity: CRITICAL if extractall() runs unfiltered on attacker-controlled
     archives (a malicious SAFE bundle can write anywhere); HIGH if a
     partial filter is bypassable

   Cat 2 - XML Parsing (XXE, billion-laughs)

   • lxml.etree.parse / fromstring without resolve_entities=False
     and without no_network=True (XXE on metadata XML)
   • xml.etree.ElementTree.parse on third-party XML where
     defusedxml would be safer
   • HTML / XML parsing on STAC catalogue responses without size limits
     (billion-laughs)
     Severity: HIGH if external entities are not disabled and the XML
     source is third-party; MEDIUM if parser is fed only repo-local files

   Cat 3 - File Path Injection

   • File paths constructed from product metadata / archive member names
     / user strings without os.path.realpath or pathlib.Path.resolve
     canonicalization
   • Path traversal via ../ not prevented when joining a base directory
     with a name read from XML / JSON / archive
   • Temporary file creation in user-controlled directories
     (tempfile.mkstemp with dir= from user input)
   • Output paths that overwrite arbitrary files when the product name is
     attacker-controlled
     Severity: CRITICAL if a fully-attacker-controlled path lands on disk
     without canonicalization; HIGH if partial canonicalization is
     bypassable

   Cat 4 - HTTP / STAC fetching

   • requests.get / httpx.get / urlopen against URLs derived from
     STAC items or product metadata without verify=True / TLS check
   • SSRF: URLs read from product XML used to fetch additional resources
     without scheme / host validation
   • Redirects followed without bound (allow_redirects=True and no
     max-redirect setting)
   • Response size not bounded (response.content on an attacker-sized
     payload)
   • pystac.read_file / pystac_client.Client against user-supplied
     URLs without origin validation
     Severity: HIGH if SSRF on internal network is plausible; MEDIUM
     otherwise

   Cat 5 - Subprocess / SNAP-GPT command injection

   • subprocess.run(..., shell=True) or os.system with any
     user-controlled component
   • SNAP-GPT graph paths constructed by string concatenation from
     product metadata
   • GDAL command-line invocations where the product path is not quoted
     correctly for the shell
   • Filenames inserted into XML graph templates without escaping
     Severity: CRITICAL if shell=True with attacker input; HIGH for
     non-shell argv-style calls where one arg is unsanitized

   Cat 6 - Credential / Env Var Exposure

   • Env vars containing credentials (S3 keys, Azure SAS tokens, API
     keys) logged at INFO / DEBUG level
   • Credentials interpolated into URLs that are then logged
   • repr() / str() of an object that holds credentials in attributes
   • Error messages that include the full URL with embedded credentials
     Severity: HIGH if a credential lands in a log path; MEDIUM if only
     reachable with debug logging enabled

   Cat 7 - Unbounded Allocation / DoS via Adversarial Metadata

   • np.empty / np.zeros / xr.DataArray allocation with shape read
     from product XML / JSON without sanity bound
   • Looping over a metadata-declared band count or product-tile count
     without an upper limit
   • Reading entire raster into memory when a window was requested but
     not honored
   • Recursive XML parse with unbounded depth
     Severity: HIGH if a malicious product can trigger >10 GB allocation;
     MEDIUM if it requires unrealistic metadata