fix(security): sanitize workdir parameter in terminal tool backends

Shell injection via unquoted workdir interpolation in docker, singularity, and SSH backends. When workdir contained shell metacharacters (e.g. ~/;id), arbitrary commands could execute. Changes: - Add shlex.quote() at each interpolation point in docker.py, singularity.py, and ssh.py with tilde-aware quoting (keep ~ unquoted for shell expansion, quote only the subpath) - Add _validate_workdir() allowlist in terminal_tool.py as defense-in-depth before workdir reaches any backend Original work by Mariano A. Nicolini (PR #5620). Salvaged with fixes for tilde expansion (shlex.quote breaks cd ~/path) and replaced incomplete deny-list with strict character allowlist. Co-authored-by: Mariano A. Nicolini <entropidelic@users.noreply.github.com>
2026-05-05 02:31:47 +00:00 · 2026-04-06 13:16:25 -07:00 · 2026-04-06 13:16:25 -07:00 · af9a9f773c
commit af9a9f773c
parent 537a2b8bb8
4 changed files with 65 additions and 7 deletions
--- a/tools/environments/docker.py
+++ b/tools/environments/docker.py
@ -8,6 +8,7 @@ persistence via bind mounts.
 import logging
 import os
 import re
+import shlex
 import shutil
 import subprocess
 import sys
@ -484,9 +485,13 @@ class DockerEnvironment(BaseEnvironment):
        else:
            effective_stdin = stdin_data

-        # docker exec -w doesn't expand ~, so prepend a cd into the command
-        if work_dir == "~" or work_dir.startswith("~/"):
-            exec_command = f"cd {work_dir} && {exec_command}"
+        # docker exec -w doesn't expand ~, so prepend a cd into the command.
+        # Keep ~ unquoted (for shell expansion) and quote only the subpath.
+        if work_dir == "~":
+            exec_command = f"cd ~ && {exec_command}"
+            work_dir = "/"
+        elif work_dir.startswith("~/"):
+            exec_command = f"cd ~/{shlex.quote(work_dir[2:])} && {exec_command}"
            work_dir = "/"

        assert self._container_id, "Container not started"