Skip to content

fix(tools): add workspace containment to grep and glob tools#333

Open
sridhar-3009 wants to merge 1 commit into
HKUDS:mainfrom
sridhar-3009:fix/310c-read-tools-workspace-containment
Open

fix(tools): add workspace containment to grep and glob tools#333
sridhar-3009 wants to merge 1 commit into
HKUDS:mainfrom
sridhar-3009:fix/310c-read-tools-workspace-containment

Conversation

@sridhar-3009

Copy link
Copy Markdown

Summary

Extends #310 / relates to #328

The read-only search tools (grep, glob) accepted a model-controlled root path argument with no check that it resolved inside the project directory. A model (or prompt-injection attack) could direct these tools at arbitrary host paths (e.g. /etc/, /home/, /var/log/) and read their contents — an information-leakage risk parallel to the write-path issue described in #310.

grep_toolroot = _resolve_path(context.cwd, arguments.root) accepts an absolute path or a ../ traversal, then searches it recursively and returns matching content.

glob_tool_resolve_glob_request() handles absolute-looking patterns but still allows root_arg to escape via _resolve_path().

Fix: both tools now call root.relative_to(cwd.resolve()) after resolving the root, and return is_error=True if the path escapes the workspace — before any filesystem read occurs.

Test plan

  • grep with root="/etc" — verify is_error=True with containment message.
  • glob with root="../../" — verify same denial.
  • Normal grep/glob within workspace — verify no regression.
  • grep with no root (defaults to context.cwd) — verify it still works.

The read-only search tools (grep, glob) accepted a model-controlled
root path with no check that it resolved inside the project directory.
A model or prompt-injection attack could direct these tools at arbitrary
host paths (e.g. /etc/, /home/) and return their contents to the model
— an information-leakage risk that bypasses the same containment gap
reported in HKUDS#310 for the file read/write/edit tools.

Add Path.relative_to(cwd.resolve()) containment checks to both tools,
consistent with the pattern used across the other file tools. When the
resolved root escapes the workspace the tool returns is_error=True
before any filesystem read occurs.

Extends HKUDS#310
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant