Mariano A. Nicolini af9a9f773c fix(security): sanitize workdir parameter in terminal tool backends ... Shell injection via unquoted workdir interpolation in docker, singularity, and SSH backends. When workdir contained shell metacharacters (e.g. ~/;id), arbitrary commands could execute. Changes: - Add shlex.quote() at each interpolation point in docker.py, singularity.py, and ssh.py with tilde-aware quoting (keep ~ unquoted for shell expansion, quote only the subpath) - Add _validate_workdir() allowlist in terminal_tool.py as defense-in-depth before workdir reaches any backend Original work by Mariano A. Nicolini (PR #5620). Salvaged with fixes for tilde expansion (shlex.quote breaks cd ~/path) and replaced incomplete deny-list with strict character allowlist. Co-authored-by: Mariano A. Nicolini <entropidelic@users.noreply.github.com>		2026-04-06 13:19:22 -07:00
..
__init__.py	feat(environments): add Daytona cloud sandbox backend	2026-03-05 10:02:21 -08:00
base.py	feat: execute_code runs on remote terminal backends (#5088)	2026-04-04 12:57:49 -07:00
daytona.py	feat: mount skills directory into all remote backends with live sync (#3890)	2026-03-30 02:45:41 -07:00
docker.py	fix(security): sanitize workdir parameter in terminal tool backends	2026-04-06 13:19:22 -07:00
local.py	fix(terminal): preserve partial output when command times out (#3868)	2026-03-29 21:51:44 -07:00
managed_modal.py	Fixes and refactors enabled by recent updates to main.	2026-03-31 09:29:59 +09:00
modal.py	feat: add .zip document support and auto-mount cache dirs into remote backends (#4846)	2026-04-03 13:16:26 -07:00
modal_common.py	Fixes and refactors enabled by recent updates to main.	2026-03-31 09:29:59 +09:00
persistent_shell.py	feat: execute_code runs on remote terminal backends (#5088)	2026-04-04 12:57:49 -07:00
singularity.py	fix(security): sanitize workdir parameter in terminal tool backends	2026-04-06 13:19:22 -07:00
ssh.py	fix(security): sanitize workdir parameter in terminal tool backends	2026-04-06 13:19:22 -07:00