security: block secret exfiltration via browser URLs and auxiliary LLM calls

Three exfiltration vectors closed: 1. Browser URL exfil — agent could embed secrets in URL params and navigate to attacker-controlled server. Now scans URLs for known API key patterns before navigating (browser_navigate, web_extract). 2. Browser snapshot leak — page displaying env vars or API keys would send secrets to auxiliary LLM via _extract_relevant_content before run_agent.py's redaction layer sees the result. Now redacts snapshot text before the auxiliary call. 3. Camofox annotation leak — accessibility tree text sent to vision LLM could contain secrets visible on screen. Now redacts annotation context before the vision call. 10 new tests covering URL blocking, snapshot redaction, and annotation redaction for both browser and camofox backends.
2026-04-25 00:51:20 +00:00 · 2026-04-01 02:04:13 +03:00 · 2026-04-01 02:04:13 +03:00 · 712aa44325
commit 712aa44325
parent 7e91009018
4 changed files with 213 additions and 4 deletions
--- a/tools/web_tools.py
+++ b/tools/web_tools.py
@ -925,24 +925,26 @@ def web_search_tool(query: str, limit: int = 5) -> str:


 async def web_extract_tool(
-    urls: List[str], 
-    format: str = None, 
+    urls: List[str],
+    format: str = None,
    use_llm_processing: bool = True,
    model: str = DEFAULT_SUMMARIZER_MODEL,
    min_length: int = DEFAULT_MIN_LENGTH_FOR_SUMMARIZATION
 ) -> str:
    """
    Extract content from specific web pages using available extraction API backend.
-    
+
    This function provides a generic interface for web content extraction that
    can work with multiple backends. Currently uses Firecrawl.
-    
+
    Args:
        urls (List[str]): List of URLs to extract content from
        format (str): Desired output format ("markdown" or "html", optional)
        use_llm_processing (bool): Whether to process content with LLM for summarization (default: True)
        model (str): The model to use for LLM processing (default: google/gemini-3-flash-preview)
        min_length (int): Minimum content length to trigger LLM processing (default: 5000)
+
+    Security: URLs are checked for embedded secrets before fetching.
    
    Returns:
        str: JSON string containing extracted content. If LLM processing is enabled and successful,
@ -951,6 +953,16 @@ async def web_extract_tool(
    Raises:
        Exception: If extraction fails or API key is not set
    """
+    # Block URLs containing embedded secrets (exfiltration prevention)
+    from agent.redact import _PREFIX_RE
+    for _url in urls:
+        if _PREFIX_RE.search(_url):
+            return json.dumps({
+                "success": False,
+                "error": "Blocked: URL contains what appears to be an API key or token. "
+                         "Secrets must not be sent in URLs.",
+            })
+
    debug_call_data = {
        "parameters": {
            "urls": urls,