fix(security): block shell escape bypasses, symlink TOCTOU, and working_dir escape#1
Merged
AlexanderGalkin95 merged 4 commits intomainfrom Feb 16, 2026
Merged
Conversation
…-default ACL
Close critical attack chain: empty allow_from → any user → prompt injection →
exec denylist bypass → full system access.
- Expand shell denylist with 10 new patterns (rm long flags, base64→shell,
python/perl/ruby -c/-e, eval, curl/wget→shell, find -exec rm, xargs rm,
fdisk/parted/wipefs)
- Block shell metacharacters ($(), ${}, backticks), $VAR expansion and
cd /absolute in workspace-restricted mode
- Change empty allow_from from allow-all to deny-all (deny-by-default)
- Add logger.WarnCF at all block points and rejected messages
- Add tests for 18 bypass techniques, 6 metacharacter escapes, and
5 safe-command allowance checks
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
… HTTP in provider Block requests to internal/private networks (loopback, link-local, RFC1918, IPv6 ULA) in WebFetchTool to prevent SSRF attacks targeting cloud metadata and internal services. Log a warning when HTTPProvider is configured with plain http:// API base, as API keys may be transmitted without encryption. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…ng_dir escape - Add 5 regex patterns to block ANSI-C/locale quoting, hex/octal escapes, and escaped metacharacters that bypassed shell denylist in restricted mode - Add safeReadFile/safeWriteFile/safeOpenFile wrappers that re-verify symlink targets right before I/O to close TOCTOU race window - Validate working_dir parameter stays within workspace when restricted - Document all three protections in README security section Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Test plan
go vet ./pkg/tools/...passesgo test ./pkg/tools/... -count=1— all tests pass🤖 Generated with Claude Code