Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Streamline / clarify shell command control configuration #4628

Merged

Conversation

erik-megarad
Copy link
Contributor

@erik-megarad erik-megarad commented Jun 8, 2023

Background

There is a security issue with the current implementation of allow_commands- as long as one of the allowlisted commands was ANYWHERE in the text of the command it was allowed. This is the second security issue i discovered in this one function. That combined with the quality of the implementation warranted a rewrite.

ALLOW_COMMANDS and DENY_COMMANDS is very confusing currently. It's not clear from the names that they're referring to shell commands and not Auto-GPT commands. It's also not clear which takes precedence, and in what order they apply.

This change makes it clear that there are two different strategies: allowlist (aka whitelist) or denylist (aka blacklist). Each strategy gets its own variable for its list and there is another variable saying which one to use.

Changes

  • Add shell_command_control config variable
  • Rename allow_commands to shell_allowlist, ensuring backwards-compatibility
  • Rename deny_commands to shell_denylist, ensuring backwards-compatibility
  • Adjust validate_command to match. Simplify it too.
  • Add a bunch of tests
  • Improve .env.template documentation

Documentation

  • Documentation in .env.template

Test Plan

Tested manually
Added new tests and ran them

PR Quality Checklist

  • My pull request is atomic and focuses on a single change.
  • I have thoroughly tested my changes with multiple different prompts.
  • I have considered potential risks and mitigations for my changes.
  • I have documented my changes clearly and comprehensively.
  • I have not snuck in any "extra" small tweaks changes.
  • I have run the following commands against my code to ensure it passes our linters:
    black .
    isort .
    mypy
    autoflake --remove-all-unused-imports --recursive --ignore-init-module-imports autogpt tests --in-place

@vercel
Copy link

vercel bot commented Jun 8, 2023

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Ignored Deployment
Name Status Preview Comments Updated (UTC)
docs ⬜️ Ignored (Inspect) Jun 9, 2023 6:38pm

@github-actions github-actions bot added the size/l label Jun 8, 2023
@codecov
Copy link

codecov bot commented Jun 8, 2023

Codecov Report

Patch coverage: 68.75% and project coverage change: +0.12 🎉

Comparison is base (cce50be) 70.08% compared to head (b448f76) 70.20%.

Additional details and impacted files
@@            Coverage Diff             @@
##           master    #4628      +/-   ##
==========================================
+ Coverage   70.08%   70.20%   +0.12%     
==========================================
  Files          72       72              
  Lines        3573     3571       -2     
  Branches      571      568       -3     
==========================================
+ Hits         2504     2507       +3     
+ Misses        879      876       -3     
+ Partials      190      188       -2     
Impacted Files Coverage Δ
autogpt/config/config.py 74.65% <55.55%> (+0.17%) ⬆️
autogpt/commands/execute_code.py 73.52% <85.71%> (+4.00%) ⬆️

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

@waynehamadi waynehamadi merged commit ff4e53d into Significant-Gravitas:master Jun 9, 2023
@Pwuts Pwuts added this to the v0.4.1 Release milestone Jun 11, 2023
jordankanter pushed a commit to jordankanter/Auto-GPT that referenced this pull request Nov 12, 2023
…gnificant-Gravitas#4628)

* Streamline / clarify shell command control configuration

* Fix lint
jordankanter pushed a commit to jordankanter/Auto-GPT that referenced this pull request Nov 12, 2023
…gnificant-Gravitas#4628)

* Streamline / clarify shell command control configuration

* Fix lint
jordankanter pushed a commit to jordankanter/Auto-GPT that referenced this pull request Nov 12, 2023
…gnificant-Gravitas#4628)

* Streamline / clarify shell command control configuration

* Fix lint
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

3 participants