feat: hardening de tools — deny-by-default, SSRF, path traversal, allowlists
Cambios de seguridad en las 4 herramientas de agentes: - tools/file: deny-by-default (AllowedPaths vacío = todo denegado), resolución de symlinks con EvalSymlinks, protección contra path traversal (../) y confusión de prefijos (/opt vs /opt1234) - tools/ssh: nuevo AllowedCommands allowlist (complementa ForbiddenCommands), validación de sintaxis shell (bloquea pipes, subshells, redirects, chains) - tools/http: protección SSRF bloqueando IPs privadas, loopback, link-local, metadata (169.254.169.254). Validación de dominio case-insensitive. - tools/matrix: nuevo parámetro AllowedRooms para restringir rooms destino - internal/config/schema: AllowedCommands en SSHToolCfg, MatrixToolCfg nueva - agents/runtime: pasa MatrixToolCfg al constructor de matrix_send Parte de issue 0019 (prompt injection hardening). Feature flag OFF. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
+40
-3
@@ -12,7 +12,8 @@ import (
|
||||
)
|
||||
|
||||
// NewReadFile creates a read_file tool that reads local files.
|
||||
// Validates paths against cfg.AllowedPaths when non-empty.
|
||||
// Deny-by-default: if AllowedPaths is empty, all reads are rejected.
|
||||
// Resolves symlinks and normalizes paths to prevent traversal attacks.
|
||||
func NewReadFile(cfg config.FileOpsCfg) tools.Tool {
|
||||
return tools.Tool{
|
||||
Def: tools.Def{
|
||||
@@ -53,18 +54,54 @@ func NewReadFile(cfg config.FileOpsCfg) tools.Tool {
|
||||
}
|
||||
}
|
||||
|
||||
// validatePath checks that absPath is under one of the allowed paths.
|
||||
// Deny-by-default: if allowedPaths is empty, no paths are allowed.
|
||||
// Resolves symlinks to prevent traversal via ../ or symlink escapes.
|
||||
func validatePath(absPath string, allowedPaths []string) error {
|
||||
if len(allowedPaths) == 0 {
|
||||
return nil
|
||||
return fmt.Errorf("read_file: no allowed paths configured, all reads denied")
|
||||
}
|
||||
|
||||
// Resolve symlinks on the requested path to get the real path.
|
||||
// If the file doesn't exist yet, resolve the parent directory.
|
||||
realPath, err := resolveReal(absPath)
|
||||
if err != nil {
|
||||
return fmt.Errorf("read_file: cannot resolve path %q: %w", absPath, err)
|
||||
}
|
||||
|
||||
for _, allowed := range allowedPaths {
|
||||
a, err := filepath.Abs(allowed)
|
||||
if err != nil {
|
||||
continue
|
||||
}
|
||||
if strings.HasPrefix(absPath, a) {
|
||||
// Resolve symlinks on the allowed path too.
|
||||
realAllowed, err := resolveReal(a)
|
||||
if err != nil {
|
||||
continue
|
||||
}
|
||||
// Ensure the real path is strictly under the allowed directory.
|
||||
// Add trailing separator to prevent /opt matching /opt1234.
|
||||
if strings.HasPrefix(realPath, realAllowed+string(filepath.Separator)) || realPath == realAllowed {
|
||||
return nil
|
||||
}
|
||||
}
|
||||
return fmt.Errorf("path %q not under any allowed path", absPath)
|
||||
}
|
||||
|
||||
// resolveReal resolves symlinks for a path.
|
||||
// If the exact path doesn't exist, it resolves the deepest existing ancestor
|
||||
// and appends the remaining segments, preventing partial traversal.
|
||||
func resolveReal(path string) (string, error) {
|
||||
real, err := filepath.EvalSymlinks(path)
|
||||
if err == nil {
|
||||
return filepath.Clean(real), nil
|
||||
}
|
||||
// Path doesn't exist — resolve parent and append base.
|
||||
parent := filepath.Dir(path)
|
||||
base := filepath.Base(path)
|
||||
realParent, err := filepath.EvalSymlinks(parent)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
return filepath.Clean(filepath.Join(realParent, base)), nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user