-
Notifications
You must be signed in to change notification settings - Fork 44.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Streamline / clarify shell command control configuration #4628
Merged
waynehamadi
merged 3 commits into
Significant-Gravitas:master
from
erik-megarad:fix/allow_deny
Jun 9, 2023
Merged
Streamline / clarify shell command control configuration #4628
waynehamadi
merged 3 commits into
Significant-Gravitas:master
from
erik-megarad:fix/allow_deny
Jun 9, 2023
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The latest updates on your projects. Learn more about Vercel for Git ↗︎ 1 Ignored Deployment
|
Codecov ReportPatch coverage:
Additional details and impacted files@@ Coverage Diff @@
## master #4628 +/- ##
==========================================
+ Coverage 70.08% 70.20% +0.12%
==========================================
Files 72 72
Lines 3573 3571 -2
Branches 571 568 -3
==========================================
+ Hits 2504 2507 +3
+ Misses 879 876 -3
+ Partials 190 188 -2
☔ View full report in Codecov by Sentry. |
erik-megarad
force-pushed
the
fix/allow_deny
branch
from
June 8, 2023 21:42
daee983
to
02e7643
Compare
waynehamadi
approved these changes
Jun 9, 2023
waynehamadi
force-pushed
the
fix/allow_deny
branch
from
June 9, 2023 18:40
61cbe8e
to
b448f76
Compare
jordankanter
pushed a commit
to jordankanter/Auto-GPT
that referenced
this pull request
Nov 12, 2023
…gnificant-Gravitas#4628) * Streamline / clarify shell command control configuration * Fix lint
jordankanter
pushed a commit
to jordankanter/Auto-GPT
that referenced
this pull request
Nov 12, 2023
…gnificant-Gravitas#4628) * Streamline / clarify shell command control configuration * Fix lint
jordankanter
pushed a commit
to jordankanter/Auto-GPT
that referenced
this pull request
Nov 12, 2023
…gnificant-Gravitas#4628) * Streamline / clarify shell command control configuration * Fix lint
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Background
There is a security issue with the current implementation of allow_commands- as long as one of the allowlisted commands was ANYWHERE in the text of the command it was allowed. This is the second security issue i discovered in this one function. That combined with the quality of the implementation warranted a rewrite.
ALLOW_COMMANDS
andDENY_COMMANDS
is very confusing currently. It's not clear from the names that they're referring to shell commands and not Auto-GPT commands. It's also not clear which takes precedence, and in what order they apply.This change makes it clear that there are two different strategies: allowlist (aka whitelist) or denylist (aka blacklist). Each strategy gets its own variable for its list and there is another variable saying which one to use.
Changes
shell_command_control
config variableallow_commands
toshell_allowlist
, ensuring backwards-compatibilitydeny_commands
toshell_denylist
, ensuring backwards-compatibilityvalidate_command
to match. Simplify it too.Documentation
Test Plan
Tested manually
Added new tests and ran them
PR Quality Checklist