fix(security): harden sandbox — shell escape bypass, symlink TOCTOU, SSRF, working_dir validation#331
Open
AlexanderGalkin95 wants to merge 6 commits intosipeed:mainfrom
Open
fix(security): harden sandbox — shell escape bypass, symlink TOCTOU, SSRF, working_dir validation#331AlexanderGalkin95 wants to merge 6 commits intosipeed:mainfrom
AlexanderGalkin95 wants to merge 6 commits intosipeed:mainfrom
Conversation
…-default ACL
Close critical attack chain: empty allow_from → any user → prompt injection →
exec denylist bypass → full system access.
- Expand shell denylist with 10 new patterns (rm long flags, base64→shell,
python/perl/ruby -c/-e, eval, curl/wget→shell, find -exec rm, xargs rm,
fdisk/parted/wipefs)
- Block shell metacharacters ($(), ${}, backticks), $VAR expansion and
cd /absolute in workspace-restricted mode
- Change empty allow_from from allow-all to deny-all (deny-by-default)
- Add logger.WarnCF at all block points and rejected messages
- Add tests for 18 bypass techniques, 6 metacharacter escapes, and
5 safe-command allowance checks
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
… HTTP in provider Block requests to internal/private networks (loopback, link-local, RFC1918, IPv6 ULA) in WebFetchTool to prevent SSRF attacks targeting cloud metadata and internal services. Log a warning when HTTPProvider is configured with plain http:// API base, as API keys may be transmitted without encryption. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…ng_dir escape - Add 5 regex patterns to block ANSI-C/locale quoting, hex/octal escapes, and escaped metacharacters that bypassed shell denylist in restricted mode - Add safeReadFile/safeWriteFile/safeOpenFile wrappers that re-verify symlink targets right before I/O to close TOCTOU race window - Validate working_dir parameter stays within workspace when restricted - Document all three protections in README security section Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…ink-workdir fix(security): block shell escape bypasses, symlink TOCTOU, and working_dir escape
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Security audit of the tool sandbox revealed several vulnerabilities that could allow workspace escape or unauthorized access. This PR fixes 6 issues across shell, filesystem, and web tools, adding 637 lines with comprehensive tests.
Changes
1. Shell denylist hardening (
pkg/tools/shell.go)rm --recursive/--force,base64 -d | sh,python/perl/ruby -c/-e,eval,curl/wget | sh,find -exec rm,xargs rm, and disk tools2. Shell escape sequence bypass (
pkg/tools/shell.go)$'...'), locale quoting ($"..."), hex escapes (\xNN), octal escapes (\NNN), and escaped metacharacters (\`,\$) that bypassed existingshellMetaRechecks in restricted mode3. Symlink TOCTOU race condition (
pkg/tools/filesystem.go,pkg/tools/edit.go)safeReadFile/safeWriteFile/safeOpenFilewrappers that re-verify symlink targets viaLstatimmediately before I/O operationsvalidatePath()and actual file operationsReadFileTool,WriteFileTool,EditFileTool, andAppendFileTool4.
working_direscape (pkg/tools/shell.go)working_dirparameter is within workspace whenrestrict_to_workspace=trueworking_dir="/etc"to escape the sandbox5. SSRF protection (
pkg/tools/web.go)web_fetchnow blocks requests to loopback, link-local, and RFC 1918 private addresses6. TLS warning for providers (
pkg/providers/http_provider.go)http://API base URLDocs
.claude/to.gitignoreTest plan
go vet ./pkg/tools/...— passesgo test ./pkg/tools/... -count=1— all tests passTestShellTool_DenylistBypassTechniques— 18 dangerous command patterns blockedTestShellTool_EscapeSequenceBlocking— 5 escape sequence patterns blockedTestShellTool_WorkingDirRestriction— outside workspace blocked, inside allowedTestShellTool_WorkspaceMetacharacterBlocking— backticks,$(),${},$VAR,cd /blockedTestShellTool_WorkspaceAllowedCommands— safe commands still work in restricted modeTestFilesystemTool_{Read,Write,Edit,Append}File_RejectsSymlinkEscape— symlink escape blockedTestWebFetchTool_SSRFBlocking— loopback, localhost, metadata, private IPs blockedBreaking changes
None. All changes are additive security hardening. Existing behavior is preserved for non-malicious inputs.
🤖 Generated with Claude Code