[security] Remove file:// protocol from Web Surfer URL allow-list (local file read)#7942
Open
AUTHENSOR wants to merge 2 commits into
Open
[security] Remove file:// protocol from Web Surfer URL allow-list (local file read)#7942AUTHENSOR wants to merge 2 commits into
AUTHENSOR wants to merge 2 commits into
Conversation
added 2 commits
July 9, 2026 18:34
LocalCommandLineCodeExecutor docstring claimed 'Command line code is sanitized using regular expression match against a list of dangerous commands' but no such sanitization exists in the execution path. The only processing is silence_pip (pip output suppression). An operator reading the docstring would believe destructive commands are filtered when they are not. Replace the false claim with a clear warning that no sanitization is performed and Docker-based executors should be used for untrusted code.
The MultimodalWebSurfer accepted file:// as a valid URL protocol, allowing the LLM to navigate to local files (file:///etc/passwd). The file content gets rendered in the page and sent back to the LLM — local file read.
ErenAta16
approved these changes
Jul 11, 2026
ErenAta16
left a comment
There was a problem hiding this comment.
Confirmed on main: line 655 of _multimodal_web_surfer.py has file:// sitting right in the allowed-protocol tuple next to https:///http://, and visit_page passes the URL straight to page.goto() with no further check. Given the agent then reads back and forwards whatever Playwright renders, that is a real local-file-read path once file:// is reachable at all, not just a theoretical one. Scope of the fix (removing the one protocol from the allow-list, touching two files) looks correctly minimal — it does not try to also solve command sanitization, which is the separate, correctly-scoped #7941.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
MultimodalWebSurferacceptsfile://as a valid URL protocol (line 655). This allows the LLM to navigate to local files (file:///etc/passwd,file:///home/user/.ssh/id_rsa, etc.), which Playwright renders in the page. The agent then reads the page content and sends it back to the LLM — local file read via the web browsing agent.Severity: HIGH
Class: Local file read via file:// protocol acceptance
Root cause
_multimodal_web_surfer.py:655:file://is in the allowed protocol list.visit_pagepasses it directly topage.goto(url).Exploit chain
{"name": "visit_url", "args": {"url": "file:///etc/passwd"}}file:///etc/passwd(accepted becausefile://is allowed)/etc/passwd— or any local fileFix
Remove
file://from the allowed protocol list. A web-browsing agent should only navigate to web protocols (https://,http://). Theabout:protocol is kept for blank pages.Verification
"file://"from the protocol tupleruff check: cleanabout:protocol is preserved for blank-page navigationDedup
Searched issues for "file://", "local file read", "web surfer security". Zero matches. Issue #7457 is about indirect prompt injection via page title (different surface). Novel.
Generated by redthread. Single-purpose security fix.