Salastil/odysseus
1
0
Fork 0
mirror of https://github.com/pewdiepie-archdaemon/odysseus.git synced 2026-06-16 17:55:26 -04:00
Code Issues Packages Projects Releases Wiki Activity

fix: is_public_blocked_tool crashes on a truthy non-string tool name (#1620)

Browse Source 
* fix: is_public_blocked_tool crashes on a truthy non-string tool name

* fix: is_public_blocked_tool fails closed (blocks) on a malformed non-string tool name
This commit is contained in:
Afonso Coutinho
2026-06-03 06:11:14 +01:00
committed by GitHub
parent 04f8aa1833
commit 1453458519
2 changed files with 35 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/tool_security.py
+10 -2
View File
@@ -48,9 +48,17 @@ NON_ADMIN_BLOCKED_TOOLS = {
def is_public_blocked_tool(tool_name: Optional[str]) -> bool:
"""Return True when a non-admin/public user must not execute this tool."""
if not tool_name:
"""Return True when a non-admin/public user must not execute this tool.
This is a security gate, so it fails CLOSED: a malformed non-string tool
name can't be matched against the blocklist or the ``mcp__`` namespace, so
it is treated as blocked rather than silently allowed through. ``None`` /
empty string means there is no tool to gate.
"""
if tool_name is None or tool_name == "":
return False
if not isinstance(tool_name, str):
return True
return tool_name in NON_ADMIN_BLOCKED_TOOLS or tool_name.startswith("mcp__")