Skip to content

fix(gateway): validate MEDIA tag paths to block arbitrary local file …#6084

Open
Ruzzgar wants to merge 1 commit into
NousResearch:mainfrom
Ruzzgar:fix/gateway-media-tag-file-exfiltration
Open

fix(gateway): validate MEDIA tag paths to block arbitrary local file …#6084
Ruzzgar wants to merge 1 commit into
NousResearch:mainfrom
Ruzzgar:fix/gateway-media-tag-file-exfiltration

Conversation

@Ruzzgar

@Ruzzgar Ruzzgar commented Apr 8, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Context

MEDIA: directives are intended for explicit media attachment delivery (images/audio/video), but the parser currently accepts overly broad path tokens.
This creates a trust-boundary issue: model-generated text can influence which local files are sent as platform attachments.

What’s wrong (concrete exploit path)

A crafted response such as:

  • MEDIA:'/etc/passwd'
  • MEDIA:/tmp/secrets.env
  • MEDIA:"/home/user/.ssh/config"

can be parsed as a valid attachment candidate and routed into native send flows (send_document / send_image_file / send_video), depending on adapter behavior.

That means non-media host files can be exfiltrated through normal chat output delivery.

Behavioral change in this PR

MEDIA: extraction is now strict and intentionally conservative:

Rule Before After
Remote schemes (http://, https://, etc.) Could pass parser path branch in edge cases Rejected
Relative paths Could be accepted depending on token shape Rejected
Absolute local paths Accepted Accepted only if extension is allowlisted media type
Non-media extensions (.env, .txt, .conf, etc.) Could be extracted Rejected

Implementation overview

gateway/platforms/base.py

  • Added _normalize_media_tag_path() as a single validation gate for MEDIA: values.
  • Added media extension allowlist for extracted attachment paths.
  • Added explicit remote-scheme and path-shape checks (local absolute paths only).
  • Updated extract_media() to use normalized/validated output only.

Regression coverage

tests/gateway/test_platform_base.py

Added:

  • test_media_tag_ignores_non_media_file_paths

This test verifies that sensitive/non-media files are not extracted from MEDIA: tags and therefore are not eligible for attachment routing.

Why this fix is scoped correctly

  • No adapter-specific refactor.
  • No protocol/UX changes for valid media paths.
  • No new dependencies.
  • Keeps existing MEDIA: contract for real media outputs intact.

Validation status

  • Regression test added
  • No new dependencies

@Hinotoi-agent Hinotoi-agent mentioned this pull request Apr 27, 2026
Closed
4 tasks
@alt-glitch alt-glitch added type/security Security vulnerability or hardening P1 High — major feature broken, no workaround comp/gateway Gateway runner, session dispatch, delivery labels Apr 30, 2026
@alt-glitch

alt-glitch commented Apr 30, 2026

Copy link
Copy Markdown
Collaborator

Likely duplicate of #16547 — same MEDIA: path traversal vulnerability. Also overlaps with #10026. All three restrict MEDIA paths to prevent local file exfiltration.

1 similar comment
@alt-glitch

alt-glitch commented Apr 30, 2026

Copy link
Copy Markdown
Collaborator

Likely duplicate of #16547 — same MEDIA: path traversal vulnerability. Also overlaps with #10026. All three restrict MEDIA paths to prevent local file exfiltration.

@alt-glitch alt-glitch mentioned this pull request May 12, 2026
Closed
@alt-glitch alt-glitch mentioned this pull request May 22, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

comp/gateway Gateway runner, session dispatch, delivery P1 High — major feature broken, no workaround type/security Security vulnerability or hardening

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Ruzzgar @alt-glitch