fix(tools): add workspace containment to grep and glob tools#333
Open
sridhar-3009 wants to merge 1 commit into
Open
fix(tools): add workspace containment to grep and glob tools#333sridhar-3009 wants to merge 1 commit into
sridhar-3009 wants to merge 1 commit into
Conversation
The read-only search tools (grep, glob) accepted a model-controlled root path with no check that it resolved inside the project directory. A model or prompt-injection attack could direct these tools at arbitrary host paths (e.g. /etc/, /home/) and return their contents to the model — an information-leakage risk that bypasses the same containment gap reported in HKUDS#310 for the file read/write/edit tools. Add Path.relative_to(cwd.resolve()) containment checks to both tools, consistent with the pattern used across the other file tools. When the resolved root escapes the workspace the tool returns is_error=True before any filesystem read occurs. Extends HKUDS#310
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Extends #310 / relates to #328
The read-only search tools (
grep,glob) accepted a model-controlledrootpath argument with no check that it resolved inside the project directory. A model (or prompt-injection attack) could direct these tools at arbitrary host paths (e.g./etc/,/home/,/var/log/) and read their contents — an information-leakage risk parallel to the write-path issue described in #310.grep_tool—root = _resolve_path(context.cwd, arguments.root)accepts an absolute path or a../traversal, then searches it recursively and returns matching content.glob_tool—_resolve_glob_request()handles absolute-looking patterns but still allowsroot_argto escape via_resolve_path().Fix: both tools now call
root.relative_to(cwd.resolve())after resolving the root, and returnis_error=Trueif the path escapes the workspace — before any filesystem read occurs.Test plan
grepwithroot="/etc"— verifyis_error=Truewith containment message.globwithroot="../../"— verify same denial.grep/globwithin workspace — verify no regression.grepwith noroot(defaults tocontext.cwd) — verify it still works.