Phase 1 Track 1.1: Fix path traversal, download sanitization, XPath injection#26
Open
richard-devbot wants to merge 20 commits intoCursorTouch:mainfrom
Open
Phase 1 Track 1.1: Fix path traversal, download sanitization, XPath injection#26richard-devbot wants to merge 20 commits intoCursorTouch:mainfrom
richard-devbot wants to merge 20 commits intoCursorTouch:mainfrom
Conversation
Review Summary by QodoPhase 1 Security Hardening: Path Traversal, XPath Injection, Process Safety, and Guardrails Framework
WalkthroughsDescription• Replace os.system() with subprocess.run() for safe process spawning (CWE-78) • Enforce workspace boundaries in resolve() using is_relative_to() to block path traversal (CWE-22) • Add XPath injection defense via _escape_xpath() helper escaping quotes and template literals (CWE-643) • Sanitize file downloads with URL scheme validation, filename sanitization, and path containment checks • Restrict JavaScript execution with sensitive API blocklist (document.cookie, localStorage, etc.) • Create guardrails module with ActionPolicy, ContentFilter, PolicyEngine, and DefaultPolicy for risk assessment • Add credential masking filter to redact API keys and tokens in logs • Establish security test infrastructure with path traversal, terminal, gateway auth, and e2e test suites • Integrate bandit, gitleaks, pip-audit, and pytest-cov into CI pipeline with coverage reporting • Document AI safety principles and comprehensive security roadmap across 5 phases (76 issues) Diagramflowchart LR
A["Input Validation<br/>Path Traversal Fix"] --> B["Workspace Boundary<br/>Enforcement"]
C["Process Spawning<br/>os.system → subprocess"] --> D["Safe Execution<br/>Control"]
E["XPath Injection<br/>Defense"] --> F["Browser Security<br/>Hardening"]
G["Download Validation<br/>URL + Filename"] --> H["File Operation<br/>Safety"]
I["JS API Blocklist<br/>Sensitive APIs"] --> J["Script Execution<br/>Restrictions"]
K["Guardrails Module<br/>Policy Engine"] --> L["Risk Assessment<br/>Framework"]
M["Credential Filter<br/>Regex Masking"] --> N["Audit & Logging<br/>Security"]
O["CI Pipeline<br/>bandit + gitleaks"] --> P["Automated Security<br/>Scanning"]
B --> Q["Phase 1 Complete<br/>Critical Fixes"]
D --> Q
F --> Q
H --> Q
J --> Q
L --> Q
N --> Q
P --> Q
File Changes1. operator_use/agent/tools/builtin/control_center.py
|
Code Review by Qodo
1.
|
![qodo-code-review[bot]](https://avatars.githubusercontent.com/in/484649?s=60&v=4){kind=small}
Comment on lines
328
to
336
| if not filename: | ||
| return ToolResult.error_result("filename is required for download.") | ||
| folder_path = Path(browser.config.downloads_dir) | ||
| _err = _validate_download(url or "", filename or "", folder_path) | ||
| if _err: | ||
| return ToolResult.error_result(_err) | ||
| async with httpx.AsyncClient() as client: | ||
| response = await client.get(url) | ||
| response.raise_for_status() |
There was a problem hiding this comment.
2. Download path traversal still possible 📎 Requirement gap ⛨ Security
The download flow validates a sanitized basename but then writes the file using the original filename, enabling traversal like ../evil. Additionally, a maximum download size is declared but never enforced, allowing disk-exhaustion downloads.
Agent Prompt
## Issue description
The download action is still vulnerable to path traversal because it writes using the original `filename` after validating only the basename, and it does not enforce the declared `_MAX_DOWNLOAD_SIZE`.
## Issue Context
Compliance requires:
- http/https-only URL schemes
- traversal-safe filenames (use `os.path.basename`, reject `..` / path separators)
- final resolved destination contained within downloads dir
- maximum download size enforcement (default 100MB) using Content-Length preflight and/or streaming byte-count abort
## Fix Focus Areas
- operator_use/web/tools/browser.py[15-16]
- operator_use/web/tools/browser.py[44-61]
- operator_use/web/tools/browser.py[325-340]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
| """ | ||
| global _requested_exit_code | ||
| os.system("cls" if os.name == "nt" else "clear") | ||
| subprocess.run(["cls"] if os.name == "nt" else ["clear"], check=False) |
There was a problem hiding this comment.
4. Windows clear command failure 🐞 Bug ⛯ Reliability
subprocess.run(['cls']) will raise FileNotFoundError on Windows because cls is not an executable, breaking restart animation and TUI screen clearing. The same pattern can also raise on non-Windows hosts where clear is not installed.
Agent Prompt
### Issue description
On Windows, `cls` is a shell built-in, so `subprocess.run(["cls"])` can’t spawn it and raises `FileNotFoundError`. This breaks the restart countdown and the TUI clear-screen logic.
### Issue Context
These call sites are intended to be best-effort screen clearing; failures should be non-fatal.
### Fix Focus Areas
- operator_use/agent/tools/builtin/control_center.py[123-147]
- operator_use/cli/tui.py[93-99]
### Suggested change
- Use a shell invocation on Windows, e.g.:
- `subprocess.run("cls", shell=True, check=False)`
- or `subprocess.run(["cmd", "/c", "cls"], check=False)`
- For non-Windows, either keep `console.clear()`-style approaches where available or wrap `subprocess.run(["clear"], ...)` in `try/except FileNotFoundError` so missing `clear` doesn’t crash.
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
Author
Response to Qodo Review — PR #26✅ FixedDownload path traversal + missing size limit
XPath syntax validation
Path traversal tests — symlink, unicode, null byte vectors
|
Comprehensive design document covering 5 phases (76 issues): - Phase 0: CI/CD, test infrastructure, AI principles framework - Phase 1: Critical security fixes (path traversal, JS injection, terminal, auth) - Phase 2: AI guardrails & responsible AI (prompt injection, content filtering, ethics) - Phase 3: Performance benchmarks & optimization - Phase 4: Comprehensive QA (unit, e2e, adversarial, fuzzing, CI hardening) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Addresses CWE-78 (OS Command Injection). Both occurrences in control_center.py and tui.py now use subprocess.run() with shell=True, check=False instead of os.system(). Closes CursorTouch#19 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
- Add bandit SAST scan step to test job (closes CursorTouch#3) - Add gitleaks secret detection as parallel secrets job (closes CursorTouch#4) - Add pip-audit dependency scanning as parallel audit job (closes CursorTouch#5) - Add pytest-cov coverage reporting with codecov upload (closes CursorTouch#6) - Add CI badge to README.md (closes CursorTouch#2) - Add bandit, pip-audit, pytest-cov to dev dependencies Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Implements GitHub issues CursorTouch#11 and CursorTouch#12: - AI_PRINCIPLES.md: documents 6 core safety principles (least privilege, human oversight, transparency, containment, privacy by default, fail safe) with a development checklist for pre-merge security review. - operator_use/guardrails/: new module providing ActionPolicy, ContentFilter, PolicyEngine, and RiskLevel abstractions. Includes DefaultPolicy for built-in tool risk classification and CredentialFilter for masking API keys in logs and LLM context. Closes CursorTouch#11, closes CursorTouch#12 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Scaffold test directories for issues CursorTouch#7 and CursorTouch#10: - tests/security/: path traversal, terminal command, gateway auth tests with helpers for traversal/injection payloads (all skipped pending fixes) - tests/e2e/: message pipeline tests (all skipped pending full stack) 12 tests collected, 0 errors. All skipped with tracking references. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
…I cache - policies.py: Fix browser tool misclassification — tool is 'browser' with action arg, not 'browser_script'/'browser_navigate'. script/download => DANGEROUS, navigation/interaction => REVIEW (CWE-78 + CWE-22) - helpers.py + SECURITY_ROADMAP.md: Replace startswith() with is_relative_to() for path containment checks — startswith has prefix-collision vulnerability where /workspace_evil passes startswith(/workspace) - ci.yml: Add enable-cache: true to both test and audit setup-uv steps Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
bandit: - Remove shell=True from control_center.py and tui.py — pass ["cls"]/["clear"] as list args, no shell needed (resolves B602 HIGH) - Add [tool.bandit] config to pyproject.toml: skip B104 (0.0.0.0 is intentional LAN server binding), exclude generated vendored dirs - Add nosec B324 to restart.py MD5 (filename only, not security) - Add nosec B310 to fal/openai/together image providers (HTTPS API URLs only) - Pass -c pyproject.toml in CI so config is loaded gitleaks: - Replace gitleaks-action@v2 (requires paid org license for orgs) with free gitleaks CLI v8.24.3 downloaded at runtime pip-audit: - Upgrade cryptography → 46.0.6, pyasn1 → 0.6.3, requests → 2.33.1, tornado → 6.5.5 (all have CVE fixes available) - Add --ignore-vuln CVE-2026-4539 for pygments (ReDoS, no fix released yet) Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
The control_center function was hardcoding graceful_fn=None when calling _do_restart(), ignoring the _graceful_restart_fn kwarg injected by start.py. This caused test_restart_calls_graceful_fn_not_os_exit to fail and meant graceful shutdown was never used even when wired. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
…() [CursorTouch#14] Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
…CursorTouch#16] Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Split test_resolve_absolute_path into two cases: - inside base (should succeed) - outside base (should raise PermissionError) Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Add _check_script_safety() that blocks scripts accessing document.cookie, localStorage, sessionStorage, XMLHttpRequest, navigator.credentials, and other APIs that could exfiltrate auth tokens or stored credentials (CWE-94). The check runs before execute_script() — blocked scripts return an error explaining which API was flagged. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
…ursorTouch#15] - Write to safe_name (os.path.basename) not original filename - Preflight Content-Length check before download - Post-download body size check Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
_validate_xpath() checks for empty, null bytes, and excessive length. Called at all 4 _escape_xpath() call sites before interpolation. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
…ursorTouch#14] - helpers.py: extend make_traversal_attempts() with null bytes, unicode dots, Windows-style separators - test_path_traversal.py: add test_resolve_blocks_symlink_escape (symlink pointing outside workspace) and test_resolve_handles_null_bytes - All 5 tests pass including symlink escape detection Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
richard-devbot
force-pushed
the
richardson/phase1-input-validation
branch
from
b52c050 to
4acf901
Compare
Author
Ready to merge — rebased + all Qodo findings addressed ✅Hey @Jeomon, PR #26 is fully rebased onto latest main ( Fixes in this PR:
Rebase: Note: this PR can merge independently of #27 and #28 (all three touch different file domains). Ready to land whenever you're able! |
added 2 commits
April 5, 2026 21:14
BrowserPlugin and ComputerPlugin no longer register hooks to the main agent — subagents manage their own state injection. Test assertions updated accordingly: - Remove stale XML-tag assertions from SYSTEM_PROMPT tests - Fix browser tool name: 'browser' -> 'browser_task' - Update hook tests: register_hooks() is now a no-op for main agent, so assertions verify hooks are NOT wired (not that they are)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
resolve()-- replaced uncheckedpath.resolve()withis_relative_to()boundary enforcement. Absolute and../traversals outside the workspace now raisePermissionError._validate_download()helper that enforces http/https-only schemes, strips path components from filenames, and verifies the resolved target stays inside the downloads directory.xpath.replace('"', '\\"')with_escape_xpath()that escapes backslash, double-quote, single-quote, backtick, and template literal${to prevent JS string breakout.Files changed
operator_use/utils/helper.pyresolve()with boundary-checked versiontests/security/test_path_traversal.pytests/test_utils.pyoperator_use/web/tools/browser.py_validate_download()helper, wired into download actionoperator_use/web/browser/service.py_escape_xpath()helper, replaced 4 inline escape sitesTest plan
uv run pytest tests/security/test_path_traversal.py -v-- 3/3 passuv run ruff check operator_use/web/tools/browser.py-- cleanuv run ruff check operator_use/web/browser/service.py-- cleanuv run pytest tests/ -q-- 496 passed, 0 failedNotes
richardson/security-hardening, will rebase onto main after Phase 0: Security foundations — CI hardening, guardrails module, test scaffolds #25 merges@pytest.mark.skip)