CVE-2026-42601 - ArchiveBox AddView config override RCE

# macOS / Linux
rg -n "archivebox|ArchiveBox|PUBLIC_ADD_VIEW|/add/|YTDLP_ARGS_EXTRA|GALLERYDL_ARGS_EXTRA|_ARGS_EXTRA|_BINARY" .
rg -n "0\\.8\\.6rc0|archivebox==|archivebox/archivebox|pip install .*archivebox|uvx .*archivebox" .
find . -maxdepth 5 -type f \( -iname "*archivebox*" -o -iname "docker-compose*.yml" -o -iname "Dockerfile*" -o -iname "*.service" \) -print

# Windows PowerShell
Get-ChildItem -Recurse -File | Select-String -Pattern "archivebox|ArchiveBox|PUBLIC_ADD_VIEW|/add/|YTDLP_ARGS_EXTRA|GALLERYDL_ARGS_EXTRA|_ARGS_EXTRA|_BINARY"
Get-ChildItem -Recurse -File | Select-String -Pattern "0\.8\.6rc0|archivebox==|archivebox/archivebox|pip install .*archivebox|uvx .*archivebox"
Get-ChildItem -Recurse -File -Include *archivebox*,Dockerfile*,docker-compose*.yml,*.yaml,*.yml,*.service,*.ps1,*.sh

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-42601 / GHSA-3h23-7824-pj8r (ArchiveBox AddView
per-crawl config override leading to command argument injection and RCE).
Produce exactly one output:

- A reviewer-ready PR/change request that upgrades or contains the vulnerable
  ArchiveBox deployment, blocks unsafe public add/config override paths, adds
  safe verification, and documents operator cleanup, or
- TRIAGE.md if this repository does not own an affected ArchiveBox deployment,
  install path, image, add-route policy, or safe patch path.

## Rules

- Scope only CVE-2026-42601 and directly related ArchiveBox ingestion and
  archive-worker hardening.
- Treat archived pages, private URLs, cookies, browser profiles, API tokens,
  SSH keys, cloud credentials, webhook secrets, compliance evidence, crawler
  output, and agent/RAG datasets as sensitive.
- Do not submit a real exploit payload to any shared or production ArchiveBox
  server.
- Do not create a proof-of-concept that runs commands, writes marker files,
  opens shells, downloads payloads, exfiltrates environment variables, or reads
  archive contents.
- Do not print or commit real ArchiveBox snapshots, submitted URLs, cookies,
  secrets, logs, or command environments.
- Do not auto-merge.

## Steps

1. Inventory every ArchiveBox reference controlled by this repository:
   Python manifests and lockfiles, uv/Poetry/pip-tools config, Dockerfiles,
   Compose files, Helm charts, Kubernetes manifests, Terraform, Ansible, Nix,
   systemd units, bootstrap scripts, CI jobs, image digests, SBOMs, reverse
   proxy rules, web-app route policy, docs, and runbooks.
2. Determine every resolved ArchiveBox version. Treat `archivebox <=0.8.6rc0`
   as vulnerable.
3. Determine every `/add/` exposure path:
   - `PUBLIC_ADD_VIEW` and related public submission settings;
   - ingress, reverse-proxy, gateway, service-mesh, or firewall rules;
   - bookmarklet, browser-extension, API, webhook, or agent integration paths;
   - whether callers are authenticated and authorized before adding URLs.
4. Identify every user-controlled config path that can reach archive workers:
   per-crawl config fields, form fields, JSON APIs, environment overrides,
   wrapper scripts, plugin options, `*_ARGS_EXTRA`, `*_BINARY`, and custom
   extractor settings.
5. If this repository does not deploy, package, configure, or route traffic to
   ArchiveBox, stop with `TRIAGE.md` listing files checked, the likely runtime
   owner, the vulnerable range `archivebox <=0.8.6rc0`, and the target
   `archivebox 0.8.6rc3+` or latest fixed release.
6. Upgrade every controlled ArchiveBox target to `0.8.6rc3+` or the newest
   vendor-published fixed release available through the repository's normal
   distribution channel. If GHAD metadata still shows no patched version,
   include release/package evidence in the PR body.
7. Regenerate all derived artifacts controlled by the repository: lockfiles,
   image digests, SBOMs, checksum allowlists, rendered manifests, deployment
   snapshots, package metadata, and version evidence.
8. Add fail-closed containment where this repository owns configuration or
   routing:
   - set `PUBLIC_ADD_VIEW=False` by default for production;
   - require authentication and authorization for `/add/` and equivalent
     ingestion routes;
   - block untrusted per-crawl config keys that influence command arguments,
     executable paths, worker environment variables, or plugin enablement;
   - allow-list only documented safe per-crawl fields;
   - prevent public ingress from reaching `/add/` without explicit approval;
   - run archive workers without broad secrets, root privileges, Docker socket
     access, or cloud metadata access.
9. Add safe verification without executing commands through ArchiveBox:
   - dependency/image/SBOM assertions prove every ArchiveBox target is not
     `<=0.8.6rc0`;
   - config tests prove production `PUBLIC_ADD_VIEW` is false or protected by
     an authenticated gateway;
   - route/policy tests prove unauthenticated callers cannot reach `/add/`;
   - unit tests or static checks prove user-provided crawl config cannot set
     `*_ARGS_EXTRA`, `*_BINARY`, or other command-affecting keys;
   - secret scanning proves no snapshots, cookies, worker env, or archive data
     were committed.
10. Add a PR body section named `CVE-2026-42601 operator actions` that states:
    - ArchiveBox versions before and after the change;
    - whether `/add/` was publicly reachable;
    - whether `PUBLIC_ADD_VIEW` was enabled;
    - which worker plugins could consume extra arguments or binary paths;
    - which secrets available to the ArchiveBox process should be rotated;
    - which submitted URLs, per-crawl config records, worker logs, and archive
      snapshots require review or quarantine;
    - whether any downstream agent/RAG datasets built from affected archive
      output should be revalidated.
11. Run relevant validation: dependency resolution, image build, deployment
    render, route/gateway policy tests, unit tests, SBOM refresh, secret scan,
    and security scan available in this repository.
12. Use PR title:
    `fix(sec): remediate CVE-2026-42601 in ArchiveBox`.

## Stop conditions

- No ArchiveBox deployment, install path, image, package recipe, route policy,
  or runtime config is controlled by this repository.
- The resolved ArchiveBox version can only be confirmed from production access
  the agent does not have.
- A fixed ArchiveBox release cannot be consumed through the allowed
  distribution channel without a broader platform migration.
- Proving exposure would require command execution, reading archive contents,
  printing worker environment variables, or submitting payloads to a shared or
  production ArchiveBox server.
- Product requirements intentionally allow unauthenticated public submissions
  with arbitrary per-crawl config; document the risk and require a
  product/security decision.
- Existing snapshots or logs indicate possible command execution; stop after
  preserving evidence and documenting incident-response handoff.
- Validation fails for unrelated pre-existing reasons; document the failure
  instead of broadening scope.