dataforge/agents_and_robots
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases Wiki Activity

feat: hardening de tools — deny-by-default, SSRF, path traversal, allowlists

Browse Source 
Cambios de seguridad en las 4 herramientas de agentes:

- tools/file: deny-by-default (AllowedPaths vacío = todo denegado),
  resolución de symlinks con EvalSymlinks, protección contra path
  traversal (../) y confusión de prefijos (/opt vs /opt1234)
- tools/ssh: nuevo AllowedCommands allowlist (complementa ForbiddenCommands),
  validación de sintaxis shell (bloquea pipes, subshells, redirects, chains)
- tools/http: protección SSRF bloqueando IPs privadas, loopback, link-local,
  metadata (169.254.169.254). Validación de dominio case-insensitive.
- tools/matrix: nuevo parámetro AllowedRooms para restringir rooms destino
- internal/config/schema: AllowedCommands en SSHToolCfg, MatrixToolCfg nueva
- agents/runtime: pasa MatrixToolCfg al constructor de matrix_send

Parte de issue 0019 (prompt injection hardening). Feature flag OFF.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Enmanuel
2026-03-07 19:17:00 +00:00
parent 71a009f890
commit 4e7aa95adb
6 changed files with 195 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/config/schema.go
+6
View File
@@ -125,11 +125,16 @@ type ToolsCfg struct {
HTTP HTTPToolCfg `yaml:"http"`
Scripts ScriptsCfg `yaml:"scripts"`
FileOps FileOpsCfg `yaml:"file_ops"`
Matrix MatrixToolCfg `yaml:"matrix_send"`
MCP MCPToolCfg `yaml:"mcp"`
Memory MemoryToolCfg `yaml:"memory"`
Knowledge KnowledgeToolCfg `yaml:"knowledge"`
}
type MatrixToolCfg struct {
AllowedRooms []string `yaml:"allowed_rooms"` // if non-empty, only these room IDs can be targeted
}
type KnowledgeToolCfg struct {
Enabled bool `yaml:"enabled"`
Dir string `yaml:"dir"` // default: "./knowledge" (relative to agent dir)
@@ -138,6 +143,7 @@ type KnowledgeToolCfg struct {
type SSHToolCfg struct {
Enabled bool `yaml:"enabled"`
AllowedTargets []string `yaml:"allowed_targets"`
AllowedCommands []string `yaml:"allowed_commands"` // allowlist: if non-empty, only these command prefixes are permitted
ForbiddenCommands []string `yaml:"forbidden_commands"`
Timeout time.Duration `yaml:"timeout"`
MaxConcurrent int `yaml:"max_concurrent"`