odysseus

Salastil/odysseus

Fork 0

mirror of https://github.com/pewdiepie-archdaemon/odysseus.git synced 2026-06-24 21:55:25 -04:00

Commit Graph

Author	SHA1	Message	Date
Kenny Van de Maele	5ce2056521	refactor(tools): migrate config/integration admin tools to the registry (#4742 ) Part of #3629 (the `admin_tools.py` bullet). Moves the config/integration admin tools off the legacy elif dispatch chain in tool_implementations.py onto the agent_tools registry: manage_endpoints, manage_mcp, manage_webhooks, manage_tokens, manage_settings The do_* implementations (and manage_mcp's command-allowlist / RCE guard: _validate_mcp_command, _mcp_allowed_commands, and the _MCP_* constants) move verbatim into the new src/agent_tools/admin_tools.py. They register through a single ADMIN_TOOL_HANDLERS map that TOOL_HANDLERS.update()s, and the five elif branches plus their imports are dropped from tool_execution.py, so these tools now flow through _direct_fallback like the other migrated clusters. The names are re-exported from src.agent_tools for back-compat. Dedup: - _parse_tool_args was duplicated in tool_implementations.py and document_tools.py. It now lives once in src.tool_utils (which imports nothing from the project beyond src.constants, so this introduces no cycle) and both call sites import it from there. The orphaned `import json` in document_tools is removed with it. - The five tools share one _owner_adapter(fn) factory that threads ctx["owner"] into the owner-taking do_* signature, instead of five near-identical wrappers. Tests: new tests/test_admin_tools_registry.py pins the registration, the re-export back-compat, the owner-threading adapter, and the single-source _parse_tool_args (across admin_tools and document_tools). Existing MCP / settings / webhook suites are repointed at the new module.	2026-06-24 09:29:10 +02:00
Kenny Van de Maele	93569b141b	fix(security): allowlist manage_mcp 'add' to close the agent-path RCE (#4433 ) * fix(security): allowlist manage_mcp 'add' to close the agent-path RCE do_manage_mcp('add') passed model- and prompt-injection-controlled command, args, and env straight to a stdio subprocess spawn with no validation, and it persisted an enabled server row before connecting (so a payload also survived to re-execute on restart). A string smuggled into a skill description, memory entry, fetched page, or email body could register a server running arbitrary code as the app UID, e.g. command='sh' args=['-c','...']. Add _validate_mcp_command, applied on the agent path before any DB write or spawn: - Hard-deny interpreters, runtimes, package runners, shells, and exec-wrappers (even if an operator lists one in ODYSSEUS_MCP_ALLOWED_COMMANDS). - Require a bare basename (no path components, no shell metacharacters) that is present in the operator allowlist (empty by default). - Reject code-exec argv flags by prefix so glued forms are caught too (-c/-e/-m/--eval/--exec/--print/--module/--command/--require), remote-URL args, and env keys that inject code into the child (LD_PRELOAD, NODE_OPTIONS, PYTHONPATH, DYLD_, PATH, ...). A rejected registration returns an error, writes no row, and makes no connection. The trusted admin route is unchanged. Mirrors the policy intent of _validate_serve_cmd but inverted for the model-reachable surface. Supersedes #438; incorporates the bypass forms found in its review (interpreter script paths, -m pip, glued -c/-e, --eval=, eval subcommands, package runners, remote URLs) and adds integration coverage on the real do_manage_mcp path. Closes #2891 fix(security): deny versioned/alias runtimes in manage_mcp allowlist Addresses RaresKeY's review on #4433. The hard-deny matched command names exactly, so versioned or alias runtime forms (python3.11, node18, pip3, ruby3.2, java, javac, bunx, tsx, ts-node, pypy3, ...) slipped past and, if an operator allowlisted one, re-opened the prompt-injection-controlled MCP registration path. - Canonicalize a trailing version suffix before the deny check so versioned forms collapse to the family (python3.11 -> python, node18 -> node, pip3 -> pip); both the raw basename and the canonical form are denied. - Broaden the denied-family set (java/javac/jshell/jbang/kotlin/dotnet/mono/ swift/osascript/tsx/ts-node/bunx/pypy/jruby/raku/luajit/wish/expect/iex). Deny runs before the operator allowlist, so an alias cannot be allowlisted back in. Canonicalization only feeds the deny check, so a legit name that ends in a digit still reaches the normal allowlist check rather than being mis-denied. Adds validator + integration regressions for versioned/alias runtimes asserting no DB row and no connection, including the allowlisted-anyway case.	2026-06-16 14:34:53 +00:00

Author

SHA1

Message

Date

Kenny Van de Maele

5ce2056521

refactor(tools): migrate config/integration admin tools to the registry (#4742 )

Part of #3629 (the `admin_tools.py` bullet). Moves the config/integration admin
tools off the legacy elif dispatch chain in tool_implementations.py onto the
agent_tools registry:

  manage_endpoints, manage_mcp, manage_webhooks, manage_tokens, manage_settings

The do_* implementations (and manage_mcp's command-allowlist / RCE guard:
_validate_mcp_command, _mcp_allowed_commands, and the _MCP_* constants) move
verbatim into the new src/agent_tools/admin_tools.py. They register through a
single ADMIN_TOOL_HANDLERS map that TOOL_HANDLERS.update()s, and the five elif
branches plus their imports are dropped from tool_execution.py, so these tools
now flow through _direct_fallback like the other migrated clusters. The names
are re-exported from src.agent_tools for back-compat.

Dedup:
  - _parse_tool_args was duplicated in tool_implementations.py and
    document_tools.py. It now lives once in src.tool_utils (which imports nothing
    from the project beyond src.constants, so this introduces no cycle) and both
    call sites import it from there. The orphaned `import json` in document_tools
    is removed with it.
  - The five tools share one _owner_adapter(fn) factory that threads ctx["owner"]
    into the owner-taking do_* signature, instead of five near-identical wrappers.

Tests: new tests/test_admin_tools_registry.py pins the registration, the
re-export back-compat, the owner-threading adapter, and the single-source
_parse_tool_args (across admin_tools and document_tools). Existing MCP /
settings / webhook suites are repointed at the new module.

2026-06-24 09:29:10 +02:00

Kenny Van de Maele

93569b141b

fix(security): allowlist manage_mcp 'add' to close the agent-path RCE (#4433 )

* fix(security): allowlist manage_mcp 'add' to close the agent-path RCE

do_manage_mcp('add') passed model- and prompt-injection-controlled command,
args, and env straight to a stdio subprocess spawn with no validation, and it
persisted an enabled server row before connecting (so a payload also survived
to re-execute on restart). A string smuggled into a skill description, memory
entry, fetched page, or email body could register a server running arbitrary
code as the app UID, e.g. command='sh' args=['-c','...'].

Add _validate_mcp_command, applied on the agent path before any DB write or
spawn:
- Hard-deny interpreters, runtimes, package runners, shells, and exec-wrappers
  (even if an operator lists one in ODYSSEUS_MCP_ALLOWED_COMMANDS).
- Require a bare basename (no path components, no shell metacharacters) that is
  present in the operator allowlist (empty by default).
- Reject code-exec argv flags by prefix so glued forms are caught too
  (-c/-e/-m/--eval/--exec/--print/--module/--command/--require), remote-URL
  args, and env keys that inject code into the child (LD_PRELOAD, NODE_OPTIONS,
  PYTHONPATH, DYLD_*, PATH, ...).

A rejected registration returns an error, writes no row, and makes no
connection. The trusted admin route is unchanged. Mirrors the policy intent of
_validate_serve_cmd but inverted for the model-reachable surface.

Supersedes #438; incorporates the bypass forms found in its review (interpreter
script paths, -m pip, glued -c/-e, --eval=, eval subcommands, package runners,
remote URLs) and adds integration coverage on the real do_manage_mcp path.

Closes #2891

* fix(security): deny versioned/alias runtimes in manage_mcp allowlist

Addresses RaresKeY's review on #4433. The hard-deny matched command names
exactly, so versioned or alias runtime forms (python3.11, node18, pip3,
ruby3.2, java, javac, bunx, tsx, ts-node, pypy3, ...) slipped past and, if an
operator allowlisted one, re-opened the prompt-injection-controlled MCP
registration path.

- Canonicalize a trailing version suffix before the deny check so versioned
  forms collapse to the family (python3.11 -> python, node18 -> node, pip3 ->
  pip); both the raw basename and the canonical form are denied.
- Broaden the denied-family set (java/javac/jshell/jbang/kotlin/dotnet/mono/
  swift/osascript/tsx/ts-node/bunx/pypy/jruby/raku/luajit/wish/expect/iex).

Deny runs before the operator allowlist, so an alias cannot be allowlisted back
in. Canonicalization only feeds the deny check, so a legit name that ends in a
digit still reaches the normal allowlist check rather than being mis-denied.
Adds validator + integration regressions for versioned/alias runtimes asserting
no DB row and no connection, including the allowlisted-anyway case.

2026-06-16 14:34:53 +00:00

2 Commits