Skip to content

[security] Correct false docstring claim about command sanitization in LocalCommandLineCodeExecutor#7941

Open
AUTHENSOR wants to merge 1 commit into
microsoft:mainfrom
AUTHENSOR:redthread/fix-docstring-sanitization-9835e3a939
Open

[security] Correct false docstring claim about command sanitization in LocalCommandLineCodeExecutor#7941
AUTHENSOR wants to merge 1 commit into
microsoft:mainfrom
AUTHENSOR:redthread/fix-docstring-sanitization-9835e3a939

Conversation

@AUTHENSOR

Copy link
Copy Markdown

Summary

The LocalCommandLineCodeExecutor docstring (line 57) claims:

Command line code is sanitized using regular expression match against a list of dangerous commands in order to prevent self-destructive commands from being executed which may potentially affect the users environment.

This sanitization does not exist. Tracing the full execution path (_execute_code_dont_check_setup, lines 341-435), the only processing of LLM-generated code before execution is silence_pip (adding -qqq to pip install commands). No dangerous-command filtering, no regex matching, no blocklist.

Severity: MEDIUM
Class: False security claim creating a false sense of security

Impact

An operator reading the docstring would believe destructive commands are filtered. In reality, LLM-generated code (including rm -rf /, curl | sh, etc.) executes directly on the local machine with zero filtering.

Fix

Replace the false claim with a clear .. warning:: that states no sanitization is performed and recommends Docker-based executors for untrusted code.

Verification

  • Traced full execution path: execute_code_blocks -> _execute_code_dont_check_setup -> file write -> asyncio.create_subprocess_exec
  • Only processing: silence_pip(code, lang) at line 357
  • No DANGEROUS, sanitize, block_list, or command filtering anywhere in the path
  • Single-file docstring change

Dedup

Issues #7662 (WebSocket RCE) and #4873 (eval injection) are different surfaces. Nobody has reported the docstring/code mismatch specifically.


Generated by redthread. Single-purpose documentation fix.

LocalCommandLineCodeExecutor docstring claimed 'Command line code is
sanitized using regular expression match against a list of dangerous commands'
but no such sanitization exists in the execution path. The only processing
is silence_pip (pip output suppression). An operator reading the docstring
would believe destructive commands are filtered when they are not.

Replace the false claim with a clear warning that no sanitization is performed
and Docker-based executors should be used for untrusted code.

@ErenAta16 ErenAta16 left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confirmed independently: grepped the entire code_executors/local package for anything resembling command filtering (dangerous, blocklist, regex-match guards) before executing LLM-generated shell input, and the only hit in the whole file is the docstring sentence itself — no actual filtering exists anywhere in _execute_code_dont_check_setup. The fix correctly replaces the false claim with an explicit warning rather than trying to bolt on filtering as part of a docs PR, which is the right scope for this change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants