[security] Correct false docstring claim about command sanitization in LocalCommandLineCodeExecutor#7941
Open
AUTHENSOR wants to merge 1 commit into
Conversation
LocalCommandLineCodeExecutor docstring claimed 'Command line code is sanitized using regular expression match against a list of dangerous commands' but no such sanitization exists in the execution path. The only processing is silence_pip (pip output suppression). An operator reading the docstring would believe destructive commands are filtered when they are not. Replace the false claim with a clear warning that no sanitization is performed and Docker-based executors should be used for untrusted code.
ErenAta16
approved these changes
Jul 11, 2026
ErenAta16
left a comment
There was a problem hiding this comment.
Confirmed independently: grepped the entire code_executors/local package for anything resembling command filtering (dangerous, blocklist, regex-match guards) before executing LLM-generated shell input, and the only hit in the whole file is the docstring sentence itself — no actual filtering exists anywhere in _execute_code_dont_check_setup. The fix correctly replaces the false claim with an explicit warning rather than trying to bolt on filtering as part of a docs PR, which is the right scope for this change.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
LocalCommandLineCodeExecutordocstring (line 57) claims:This sanitization does not exist. Tracing the full execution path (
_execute_code_dont_check_setup, lines 341-435), the only processing of LLM-generated code before execution issilence_pip(adding-qqqto pip install commands). No dangerous-command filtering, no regex matching, no blocklist.Severity: MEDIUM
Class: False security claim creating a false sense of security
Impact
An operator reading the docstring would believe destructive commands are filtered. In reality, LLM-generated code (including
rm -rf /,curl | sh, etc.) executes directly on the local machine with zero filtering.Fix
Replace the false claim with a clear
.. warning::that states no sanitization is performed and recommends Docker-based executors for untrusted code.Verification
execute_code_blocks->_execute_code_dont_check_setup-> file write ->asyncio.create_subprocess_execsilence_pip(code, lang)at line 357DANGEROUS,sanitize,block_list, or command filtering anywhere in the pathDedup
Issues #7662 (WebSocket RCE) and #4873 (eval injection) are different surfaces. Nobody has reported the docstring/code mismatch specifically.
Generated by redthread. Single-purpose documentation fix.