deer-flow

github/deer-flow

Fork 0

mirror of https://github.com/bytedance/deer-flow.git synced 2026-04-25 11:18:22 +00:00

Commit Graph

Author	SHA1	Message	Date
KKK	3b3e8e1b0b	feat(sandbox): strengthen bash command auditing with compound splitting and expanded patterns (#1881 ) * fix(sandbox): strengthen regex coverage in SandboxAuditMiddleware Expand high-risk patterns from 6 to 13 and medium-risk from 4 to 6, closing several bypass vectors identified by cross-referencing Claude Code's BashSecurity validator chain against DeerFlow's threat model. High-risk additions: - Generalised pipe-to-sh (replaces narrow curl\|sh rule) - Targeted command substitution ($() / backtick with dangerous executables) - base64 decode piped to execution - Overwrite system binaries (/usr/bin/, /bin/, /sbin/) - Overwrite shell startup files (~/.bashrc, ~/.profile, etc.) - /proc//environ leakage - LD_PRELOAD / LD_LIBRARY_PATH hijack - /dev/tcp/ bash built-in networking Medium-risk additions: - sudo/su (no-op under Docker root, warn only) - PATH= modification (long attack chain, warn only) Design decisions: - Command substitution uses targeted matching (curl/wget/bash/sh/python/ ruby/perl/base64) rather than blanket block to avoid false positives on safe usage like $(date) or `whoami`. - Skipped encoding/obfuscation checks (hex, octal, Unicode homoglyphs) as ROI is low in Docker sandbox — LLMs don't generate encoded commands and container isolation bounds the blast radius. - Merged pip/pip3 into single pip3? pattern. feat(sandbox): compound command splitting and fork bomb detection Split compound bash commands (&&, \|\|, ;) into sub-commands and classify each independently — prevents dangerous commands hidden after safe prefixes (e.g. "cd /workspace && rm -rf /") from bypassing detection. - Add _split_compound_command() with shlex quote-aware splitting - Add fork bomb detection patterns (classic and while-loop variants) - Most severe verdict wins; block short-circuits - 15 new tests covering compound commands, splitting, and fork bombs * test(sandbox): add async tests for fork bomb and compound commands Cover awrap_tool_call path for fork bomb detection (3 variants) and compound command splitting (block/warn/pass scenarios). * fix(sandbox): address Copilot review — no-whitespace operators, >>/etc/, whole-command scan - _split_compound_command: replace shlex-based implementation with a character-by-character quote/escape-aware scanner. shlex.split only separates '&&' / '\|\|' / ';' when they are surrounded by whitespace, so payloads like 'rm -rf /&&echo ok' or 'safe;rm -rf /' bypassed the previous splitter and therefore the per-sub-command classifier. - _HIGH_RISK_PATTERNS: change r'>\s/etc/' to r'>+\s/etc/' so append redirection ('>>/etc/hosts') is also blocked. - _classify_command: run a whole-command high-risk scan before splitting. Structural attacks like 'while true; do bash & done' span multiple shell statements — splitting on ';' destroys the pattern context, so the raw command must be scanned first. - tests: add no-whitespace operator cases to TestSplitCompoundCommand and test_compound_command_classification to lock in the bypass fix.	2026-04-07 17:15:24 +08:00
KKK	055e4df049	fix(sandbox): add input sanitisation guard to SandboxAuditMiddleware (#1872 ) * fix(sandbox): add L2 input sanitisation to SandboxAuditMiddleware Add _validate_input() to reject malformed bash commands before regex classification: empty commands, oversized commands (>10 000 chars), and null bytes that could cause detection/execution layer inconsistency. * fix(sandbox): address Copilot review — type guard, log truncation, reject reason - Coerce None/non-string command to str before validation - Truncate oversized commands in audit logs to prevent log amplification - Propagate reject_reason through _pre_process() to block message - Remove L2 label from comments and test class names * fix(sandbox): isinstance type guard + async input sanitisation tests Address review comments: - Replace str() coercion with isinstance(raw_command, str) guard so non-string truthy values (0, [], False) fall back to empty string instead of passing validation as "0"/"[]"/"False". - Add TestInputSanitisationBlocksInAwrapToolCall with 4 async tests covering empty, null-byte, oversized, and None command via awrap_tool_call path.	2026-04-06 17:21:58 +08:00
SHIYAO ZHANG	9aa3ff7c48	feat(sandbox): add SandboxAuditMiddleware for bash command security auditing (#1532 ) * feat(sandbox): add SandboxAuditMiddleware for bash command security auditing Addresses the LocalSandbox escape vector reported in #1224 where bash tool calls can execute destructive commands against the host filesystem. - Add SandboxAuditMiddleware with three-tier command classification: - High-risk (block): rm -rf /, curl\|bash, dd if=, mkfs, /etc/shadow access - Medium-risk (warn): pip install, apt install, chmod 777 - Safe (pass): normal workspace operations - Register middleware after GuardrailMiddleware in _build_runtime_middlewares, applied to both lead agent and subagents - Structured audit log via standard logger (visible in langgraph.log) - Medium-risk commands execute but append a warning to the tool result, allowing the LLM to self-correct without blocking legitimate workflows - High-risk commands return an error ToolMessage without calling the handler, so the agent loop continues gracefully * fix(lint): sort imports in test_sandbox_audit_middleware * refactor(sandbox-audit): address Copilot review feedback (3/5/6) - Fix class docstring to match implementation: medium-risk commands are executed with a warning appended (not rejected), and cwd anchoring note removed (handled in a separate PR) - Remove capsys.disabled() from benchmark test to avoid CI log noise; keep assertions for recall/precision targets - Remove misleading 'cwd fix' from test module docstring * test(sandbox-audit): add async tests for awrap_tool_call * fix(sandbox-audit): address Copilot review feedback (1/2) - Narrow rm high-risk regex to only block truly destructive targets (/, /, ~, ~/, /home, /root); legitimate workspace paths like /mnt/user-data/ are no longer false-positived - Handle list-typed ToolMessage content in _append_warn_to_result; append a text block instead of str()-ing the list to avoid breaking structured content normalization * style: apply ruff format to sandbox_audit_middleware files * fix(sandbox-audit): update benchmark comment to match assert-based implementation --------- Co-authored-by: Willem Jiang <willem.jiang@gmail.com>	2026-03-30 07:48:31 +08:00

Author

SHA1

Message

Date

KKK

3b3e8e1b0b

feat(sandbox): strengthen bash command auditing with compound splitting and expanded patterns (#1881 )

* fix(sandbox): strengthen regex coverage in SandboxAuditMiddleware

Expand high-risk patterns from 6 to 13 and medium-risk from 4 to 6,
closing several bypass vectors identified by cross-referencing Claude
Code's BashSecurity validator chain against DeerFlow's threat model.

High-risk additions:
- Generalised pipe-to-sh (replaces narrow curl|sh rule)
- Targeted command substitution ($() / backtick with dangerous executables)
- base64 decode piped to execution
- Overwrite system binaries (/usr/bin/, /bin/, /sbin/)
- Overwrite shell startup files (~/.bashrc, ~/.profile, etc.)
- /proc/*/environ leakage
- LD_PRELOAD / LD_LIBRARY_PATH hijack
- /dev/tcp/ bash built-in networking

Medium-risk additions:
- sudo/su (no-op under Docker root, warn only)
- PATH= modification (long attack chain, warn only)

Design decisions:
- Command substitution uses targeted matching (curl/wget/bash/sh/python/
  ruby/perl/base64) rather than blanket block to avoid false positives
  on safe usage like $(date) or `whoami`.
- Skipped encoding/obfuscation checks (hex, octal, Unicode homoglyphs)
  as ROI is low in Docker sandbox — LLMs don't generate encoded commands
  and container isolation bounds the blast radius.
- Merged pip/pip3 into single pip3? pattern.

* feat(sandbox): compound command splitting and fork bomb detection

Split compound bash commands (&&, ||, ;) into sub-commands and classify
each independently — prevents dangerous commands hidden after safe
prefixes (e.g. "cd /workspace && rm -rf /") from bypassing detection.

- Add _split_compound_command() with shlex quote-aware splitting
- Add fork bomb detection patterns (classic and while-loop variants)
- Most severe verdict wins; block short-circuits
- 15 new tests covering compound commands, splitting, and fork bombs

* test(sandbox): add async tests for fork bomb and compound commands

Cover awrap_tool_call path for fork bomb detection (3 variants) and
compound command splitting (block/warn/pass scenarios).

* fix(sandbox): address Copilot review — no-whitespace operators, >>/etc/, whole-command scan

- _split_compound_command: replace shlex-based implementation with a
  character-by-character quote/escape-aware scanner. shlex.split only
  separates '&&' / '||' / ';' when they are surrounded by whitespace,
  so payloads like 'rm -rf /&&echo ok' or 'safe;rm -rf /' bypassed the
  previous splitter and therefore the per-sub-command classifier.
- _HIGH_RISK_PATTERNS: change r'>\s*/etc/' to r'>+\s*/etc/' so append
  redirection ('>>/etc/hosts') is also blocked.
- _classify_command: run a whole-command high-risk scan *before*
  splitting. Structural attacks like 'while true; do bash & done'
  span multiple shell statements — splitting on ';' destroys the
  pattern context, so the raw command must be scanned first.
- tests: add no-whitespace operator cases to TestSplitCompoundCommand
  and test_compound_command_classification to lock in the bypass fix.

2026-04-07 17:15:24 +08:00

KKK

055e4df049

fix(sandbox): add input sanitisation guard to SandboxAuditMiddleware (#1872 )

* fix(sandbox): add L2 input sanitisation to SandboxAuditMiddleware

Add _validate_input() to reject malformed bash commands before regex
classification: empty commands, oversized commands (>10 000 chars), and
null bytes that could cause detection/execution layer inconsistency.

* fix(sandbox): address Copilot review — type guard, log truncation, reject reason

- Coerce None/non-string command to str before validation
- Truncate oversized commands in audit logs to prevent log amplification
- Propagate reject_reason through _pre_process() to block message
- Remove L2 label from comments and test class names

* fix(sandbox): isinstance type guard + async input sanitisation tests

Address review comments:
- Replace str() coercion with isinstance(raw_command, str) guard so
  non-string truthy values (0, [], False) fall back to empty string
  instead of passing validation as "0"/"[]"/"False".
- Add TestInputSanitisationBlocksInAwrapToolCall with 4 async tests
  covering empty, null-byte, oversized, and None command via
  awrap_tool_call path.

2026-04-06 17:21:58 +08:00

SHIYAO ZHANG

9aa3ff7c48

feat(sandbox): add SandboxAuditMiddleware for bash command security auditing (#1532 )

* feat(sandbox): add SandboxAuditMiddleware for bash command security auditing

Addresses the LocalSandbox escape vector reported in #1224 where bash tool
calls can execute destructive commands against the host filesystem.

- Add SandboxAuditMiddleware with three-tier command classification:
  - High-risk (block): rm -rf /, curl|bash, dd if=, mkfs, /etc/shadow access
  - Medium-risk (warn): pip install, apt install, chmod 777
  - Safe (pass): normal workspace operations
- Register middleware after GuardrailMiddleware in _build_runtime_middlewares,
  applied to both lead agent and subagents
- Structured audit log via standard logger (visible in langgraph.log)
- Medium-risk commands execute but append a warning to the tool result,
  allowing the LLM to self-correct without blocking legitimate workflows
- High-risk commands return an error ToolMessage without calling the handler,
  so the agent loop continues gracefully

* fix(lint): sort imports in test_sandbox_audit_middleware

* refactor(sandbox-audit): address Copilot review feedback (3/5/6)

- Fix class docstring to match implementation: medium-risk commands are
  executed with a warning appended (not rejected), and cwd anchoring note
  removed (handled in a separate PR)
- Remove capsys.disabled() from benchmark test to avoid CI log noise;
  keep assertions for recall/precision targets
- Remove misleading 'cwd fix' from test module docstring

* test(sandbox-audit): add async tests for awrap_tool_call

* fix(sandbox-audit): address Copilot review feedback (1/2)

- Narrow rm high-risk regex to only block truly destructive targets
  (/, /*, ~, ~/*, /home, /root); legitimate workspace paths like
  /mnt/user-data/ are no longer false-positived
- Handle list-typed ToolMessage content in _append_warn_to_result;
  append a text block instead of str()-ing the list to avoid breaking
  structured content normalization

* style: apply ruff format to sandbox_audit_middleware files

* fix(sandbox-audit): update benchmark comment to match assert-based implementation

---------

Co-authored-by: Willem Jiang <willem.jiang@gmail.com>

2026-03-30 07:48:31 +08:00

3 Commits