odysseus

Salastil/odysseus

Fork 0

mirror of https://github.com/pewdiepie-archdaemon/odysseus.git synced 2026-06-20 03:35:35 -04:00

Commit Graph

Author	SHA1	Message	Date
Kenny Van de Maele	93569b141b	fix(security): allowlist manage_mcp 'add' to close the agent-path RCE (#4433 ) * fix(security): allowlist manage_mcp 'add' to close the agent-path RCE do_manage_mcp('add') passed model- and prompt-injection-controlled command, args, and env straight to a stdio subprocess spawn with no validation, and it persisted an enabled server row before connecting (so a payload also survived to re-execute on restart). A string smuggled into a skill description, memory entry, fetched page, or email body could register a server running arbitrary code as the app UID, e.g. command='sh' args=['-c','...']. Add _validate_mcp_command, applied on the agent path before any DB write or spawn: - Hard-deny interpreters, runtimes, package runners, shells, and exec-wrappers (even if an operator lists one in ODYSSEUS_MCP_ALLOWED_COMMANDS). - Require a bare basename (no path components, no shell metacharacters) that is present in the operator allowlist (empty by default). - Reject code-exec argv flags by prefix so glued forms are caught too (-c/-e/-m/--eval/--exec/--print/--module/--command/--require), remote-URL args, and env keys that inject code into the child (LD_PRELOAD, NODE_OPTIONS, PYTHONPATH, DYLD_, PATH, ...). A rejected registration returns an error, writes no row, and makes no connection. The trusted admin route is unchanged. Mirrors the policy intent of _validate_serve_cmd but inverted for the model-reachable surface. Supersedes #438; incorporates the bypass forms found in its review (interpreter script paths, -m pip, glued -c/-e, --eval=, eval subcommands, package runners, remote URLs) and adds integration coverage on the real do_manage_mcp path. Closes #2891 fix(security): deny versioned/alias runtimes in manage_mcp allowlist Addresses RaresKeY's review on #4433. The hard-deny matched command names exactly, so versioned or alias runtime forms (python3.11, node18, pip3, ruby3.2, java, javac, bunx, tsx, ts-node, pypy3, ...) slipped past and, if an operator allowlisted one, re-opened the prompt-injection-controlled MCP registration path. - Canonicalize a trailing version suffix before the deny check so versioned forms collapse to the family (python3.11 -> python, node18 -> node, pip3 -> pip); both the raw basename and the canonical form are denied. - Broaden the denied-family set (java/javac/jshell/jbang/kotlin/dotnet/mono/ swift/osascript/tsx/ts-node/bunx/pypy/jruby/raku/luajit/wish/expect/iex). Deny runs before the operator allowlist, so an alias cannot be allowlisted back in. Canonicalization only feeds the deny check, so a legit name that ends in a digit still reaches the normal allowlist check rather than being mis-denied. Adds validator + integration regressions for versioned/alias runtimes asserting no DB row and no connection, including the allowlisted-anyway case.	2026-06-16 14:34:53 +00:00

Author

SHA1

Message

Date

Kenny Van de Maele

93569b141b

fix(security): allowlist manage_mcp 'add' to close the agent-path RCE (#4433 )

* fix(security): allowlist manage_mcp 'add' to close the agent-path RCE

do_manage_mcp('add') passed model- and prompt-injection-controlled command,
args, and env straight to a stdio subprocess spawn with no validation, and it
persisted an enabled server row before connecting (so a payload also survived
to re-execute on restart). A string smuggled into a skill description, memory
entry, fetched page, or email body could register a server running arbitrary
code as the app UID, e.g. command='sh' args=['-c','...'].

Add _validate_mcp_command, applied on the agent path before any DB write or
spawn:
- Hard-deny interpreters, runtimes, package runners, shells, and exec-wrappers
  (even if an operator lists one in ODYSSEUS_MCP_ALLOWED_COMMANDS).
- Require a bare basename (no path components, no shell metacharacters) that is
  present in the operator allowlist (empty by default).
- Reject code-exec argv flags by prefix so glued forms are caught too
  (-c/-e/-m/--eval/--exec/--print/--module/--command/--require), remote-URL
  args, and env keys that inject code into the child (LD_PRELOAD, NODE_OPTIONS,
  PYTHONPATH, DYLD_*, PATH, ...).

A rejected registration returns an error, writes no row, and makes no
connection. The trusted admin route is unchanged. Mirrors the policy intent of
_validate_serve_cmd but inverted for the model-reachable surface.

Supersedes #438; incorporates the bypass forms found in its review (interpreter
script paths, -m pip, glued -c/-e, --eval=, eval subcommands, package runners,
remote URLs) and adds integration coverage on the real do_manage_mcp path.

Closes #2891

* fix(security): deny versioned/alias runtimes in manage_mcp allowlist

Addresses RaresKeY's review on #4433. The hard-deny matched command names
exactly, so versioned or alias runtime forms (python3.11, node18, pip3,
ruby3.2, java, javac, bunx, tsx, ts-node, pypy3, ...) slipped past and, if an
operator allowlisted one, re-opened the prompt-injection-controlled MCP
registration path.

- Canonicalize a trailing version suffix before the deny check so versioned
  forms collapse to the family (python3.11 -> python, node18 -> node, pip3 ->
  pip); both the raw basename and the canonical form are denied.
- Broaden the denied-family set (java/javac/jshell/jbang/kotlin/dotnet/mono/
  swift/osascript/tsx/ts-node/bunx/pypy/jruby/raku/luajit/wish/expect/iex).

Deny runs before the operator allowlist, so an alias cannot be allowlisted back
in. Canonicalization only feeds the deny check, so a legit name that ends in a
digit still reaches the normal allowlist check rather than being mis-denied.
Adds validator + integration regressions for versioned/alias runtimes asserting
no DB row and no connection, including the allowlisted-anyway case.

2026-06-16 14:34:53 +00:00

1 Commits