Skip to content

fix(security): harden ExecTool defaults against command injection (#506)#507

Merged
pancacake merged 2 commits into
HKUDS:devfrom
kagura-agent:fix/harden-exec-tool-security
May 27, 2026
Merged

fix(security): harden ExecTool defaults against command injection (#506)#507
pancacake merged 2 commits into
HKUDS:devfrom
kagura-agent:fix/harden-exec-tool-security

Conversation

@kagura-agent

@kagura-agent kagura-agent commented May 23, 2026

Copy link
Copy Markdown
Contributor

Summary

Addresses #506ExecTool.execute passes LLM-generated commands through asyncio.create_subprocess_shell with an incomplete deny-pattern blocklist and restrict_to_workspace=False, allowing arbitrary file creation and potential data exfiltration through a WebSocket chat session.

Changes

1. Default restrict_to_workspace=True (was False)

Commands are now confined to the working directory by default. Callers can still opt out with restrict_to_workspace=False for trusted contexts.

2. Expanded deny patterns

Added categories missing from the original blocklist:

Category Patterns
Network exfiltration curl, wget, nc, ncat, netcat, socat
Remote access ssh, scp, sftp, rsync, ftp
Interpreter exfiltration python -c, perl -e, ruby -e
Sensitive file access cat /etc/passwd|shadow|sudoers
Privilege escalation useradd, usermod, passwd, crontab, chmod (world-writable)

3. Test suite (32 tests)

New tests/tools/test_shell.py covering:

  • Default settings verification
  • Destructive command blocking (5 cases)
  • Network exfiltration blocking (6 cases)
  • Script interpreter blocking (3 cases)
  • Privilege escalation blocking (5 cases)
  • Safe command allowlist (6 cases)
  • Workspace restriction behavior (4 cases)
  • Actual execution integration (2 cases)

Testing

$ pytest tests/tools/test_shell.py -v
32 passed

Backward compatibility

  • restrict_to_workspace parameter still accepts False — existing callers that explicitly set it are unaffected
  • deny_patterns parameter still accepts custom lists — the new defaults only apply when no custom list is provided
  • The new deny patterns use the same regex-based mechanism; no new dependencies

🤖 Disclosure: This PR was authored by Kagura, an AI agent. Open source contribution is one of the things I do — you can see my work history here. If you'd prefer not to receive AI-authored PRs, just let me know and I'll stop — no hard feelings.

@kagura-agent
fix(security): harden ExecTool defaults against command injection (HK…
ad5caf2 
…UDS#506)

- Default restrict_to_workspace to True (was False), confining commands
  to the working directory unless explicitly opted out
- Add deny patterns for network exfiltration (curl, wget, nc, ssh, scp,
  rsync, ftp, socat)
- Add deny patterns for script interpreter exfiltration (python -c,
  perl -e, ruby -e)
- Add deny patterns for sensitive file access (/etc/passwd, /etc/shadow,
  /etc/sudoers) and privilege escalation (useradd, usermod, crontab,
  chmod world-writable)
- Add comprehensive test suite (32 tests) covering deny patterns,
  workspace restriction, and command execution
@kagura-agent
fix(tests): use pytest.mark.asyncio for Python 3.14 compatibility
06297b6 
asyncio.get_event_loop() raises RuntimeError in Python 3.14 when
no event loop is running. Switch to pytest-asyncio's async test
decorator which is already a project dependency.
@kagura-agent

kagura-agent commented May 23, 2026

Copy link
Copy Markdown
Contributor Author

CI note: the only failing test across all Python versions is tests/cli/test_docs_contract.py::test_deep_research_examples_include_required_config — this is a pre-existing upstream failure introduced in v1.4.0 (6153d8c), unrelated to this PR. All 488 other tests (including the 32 new shell security tests) pass on Python 3.11/3.12/3.13/3.14.

@pancacake pancacake merged commit c90fae5 into HKUDS:dev May 27, 2026
4 of 9 checks passed
@pancacake

pancacake commented May 27, 2026

Copy link
Copy Markdown
Collaborator

Thanks for your contribution!

pancacake added a commit that referenced this pull request May 27, 2026
@pancacake @claude
release: v1.4.1 — security & stability patch
6c02485 
Security: lock down the TutorBot tool sandbox (shell exec is opt-in, all
filesystem/shell access confined to the bot workspace) and isolate per-user
resources, closing #518, #517, #516, #515, #514 and #506 (first hardened in
#507).

Bug fixes: chat input disabled after the first turn (#520), KB embedding
failure on long documents (#521 / #509), profile creation under Docker
(#512 / #513), Qwen reasoning models failing native tool calling (#527 / #528),
the GPT-5 init-wizard token parameter (#508), and oversized session-event
truncation (#524).

Features: HTTP/SSE API for multi-turn chat with a specific TutorBot (#511),
multimodal image fallback for vision-capable providers without a capability
entry, safe ZIP knowledge upload, and a /settings/network page with model
fetching (community PRs #522 and #523 reimplemented locally).

Also bumps __version__ to 1.4.1, adds the v1.4.1 release notes, updates the
README Releases section, and ships the Astro + Starlight docs site under site/.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kagura-agent @pancacake