Security audit: Fix critical dependency vulnerabilities and add security controls

Co-authored-by: kingassune <6126851+kingassune@users.noreply.github.com>
2026-02-03 22:08:33 +00:00
parent 9d4c00ac6a
commit 8b4e0a8868
6 changed files with 351 additions and 8 deletions
--- a/nanobot/agent/tools/filesystem.py
+++ b/nanobot/agent/tools/filesystem.py
@@ -6,6 +6,34 @@ from typing import Any
 from nanobot.agent.tools.base import Tool


+def _validate_path(path: str, base_dir: Path | None = None) -> tuple[bool, Path | str]:
+    """
+    Validate path to prevent directory traversal attacks.
+    
+    Args:
+        path: The path to validate
+        base_dir: Optional base directory to restrict operations to
+        
+    Returns:
+        Tuple of (is_valid, resolved_path_or_error_message)
+    """
+    try:
+        file_path = Path(path).expanduser().resolve()
+        
+        # If base_dir is specified, ensure the path is within it
+        if base_dir is not None:
+            base_resolved = base_dir.resolve()
+            try:
+                # Check if file_path is relative to base_dir
+                file_path.relative_to(base_resolved)
+            except ValueError:
+                return False, f"Error: Path {path} is outside allowed directory"
+        
+        return True, file_path
+    except Exception as e:
+        return False, f"Error: Invalid path: {str(e)}"
+
+
 class ReadFileTool(Tool):
    """Tool to read file contents."""
    
@@ -32,7 +60,11 @@ class ReadFileTool(Tool):
    
    async def execute(self, path: str, **kwargs: Any) -> str:
        try:
-            file_path = Path(path).expanduser()
+            is_valid, result = _validate_path(path)
+            if not is_valid:
+                return str(result)
+            
+            file_path = result
            if not file_path.exists():
                return f"Error: File not found: {path}"
            if not file_path.is_file():
@@ -76,7 +108,11 @@ class WriteFileTool(Tool):
    
    async def execute(self, path: str, content: str, **kwargs: Any) -> str:
        try:
-            file_path = Path(path).expanduser()
+            is_valid, result = _validate_path(path)
+            if not is_valid:
+                return str(result)
+            
+            file_path = result
            file_path.parent.mkdir(parents=True, exist_ok=True)
            file_path.write_text(content, encoding="utf-8")
            return f"Successfully wrote {len(content)} bytes to {path}"
@@ -120,7 +156,11 @@ class EditFileTool(Tool):
    
    async def execute(self, path: str, old_text: str, new_text: str, **kwargs: Any) -> str:
        try:
-            file_path = Path(path).expanduser()
+            is_valid, result = _validate_path(path)
+            if not is_valid:
+                return str(result)
+            
+            file_path = result
            if not file_path.exists():
                return f"Error: File not found: {path}"
            
@@ -170,7 +210,11 @@ class ListDirTool(Tool):
    
    async def execute(self, path: str, **kwargs: Any) -> str:
        try:
-            dir_path = Path(path).expanduser()
+            is_valid, result = _validate_path(path)
+            if not is_valid:
+                return str(result)
+            
+            dir_path = result
            if not dir_path.exists():
                return f"Error: Directory not found: {path}"
            if not dir_path.is_dir():