Octopus
Security
AI Functions execute arbitrary JavaScript code stored in the database. This introduces unique security considerations — code injection into the database becomes code execution. This page covers sandbox controls, write access restrictions, code review requirements, and audit logging.
Threat Model
| Threat | Mitigation |
|---|---|
| Malicious code injected into AI Function by an attacker with DB access | Sandbox blocks all I/O, network, and filesystem access; execution limits prevent DoS |
| Admin user creates a function that leaks data via return value | Review-required workflow for production functions; output logging and monitoring |
| Infinite loop / CPU exhaustion | Statement count limit + execution timeout kill the function |
| Memory exhaustion | Heap limit per sandbox instance; garbage collected after execution |
| Cross-tenant data access | Sandbox receives only explicitly injected context (tenantId, agentId, userId) |
Write Access Controls
Creating or modifying AI Functions requires the OctopusFunctionAuthor role. Activating a function for production requires an additional approval step:
// Role requirements:
// Create/update AI Function code: OctopusFunctionAuthor
// Approve function for production use: OctopusFunctionApprover
// View function list: OctopusAdmin (or above)
// A function starts as IsActive = false (cannot be called)
// An approver reviews the code and sets IsActive = true
POST /api/octopus/ai-functions/{functionId}/approve
Authorization: Bearer {approverToken}
{
"approved": true,
"notes": "Reviewed — pure calculation, no I/O. Safe to activate."
}Code Review Checklist
| Check | What to Look For |
|---|---|
| No eval() calls | Dynamic code execution could bypass sandbox restrictions |
| No attempt to access __proto__ or Object.prototype | Prototype pollution attacks |
| Return value does not contain sensitive data | Passwords, tokens, SSNs must not appear in return value |
| Input validation present | Missing validation can cause unexpected behaviour with LLM-generated inputs |
| No infinite loops | while(true), recursion without base case |
| Bounded array/string operations | Operations on unbounded input can cause timeout |
Audit Logging
// All AI Function executions are logged:
{
"event": "AIFunctionExecuted",
"functionId": "fn_7f3a...",
"functionName": "calculate_leave_days",
"agentId": "agent_hr_01",
"userId": "user_mary_k",
"tenantId": "tenant_acme",
"executedAt": "2025-03-14T09:22:31Z",
"durationMs": 12,
"success": true,
"errorMessage": null
}
// Failed executions include error details:
{
"event": "AIFunctionExecuted",
"functionName": "calculate_leave_days",
"success": false,
"errorMessage": "Script execution timed out after 5000ms"
}
Restrict Who Can Create AI Functions
The OctopusFunctionAuthor role is effectively a code execution privilege. Grant it only to trusted developers and power users. In production environments, always require a separate approver (OctopusFunctionApprover) who was not involved in writing the function to review and activate it.