-
Notifications
You must be signed in to change notification settings - Fork 1
feat: implement built-in git tools with security hardening #150
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from 2 commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -1649,6 +1649,8 @@ When the LLM requests multiple tool calls in a single turn, `ToolInvoker.invoke_ | |||||
|
|
||||||
| The `ToolPermissionChecker` resolves permissions using a priority-based system: denied list (highest) → allowed list → access-level categories → deny (default). `AgentEngine._make_tool_invoker()` creates a permission-aware invoker from the agent's `ToolPermissions` at the start of each `run()` call. Note: M3 implements category-level gating only; the granular sub-constraints described in §11.2 (workspace scope, network mode) are planned for when sandboxing is implemented. | ||||||
|
|
||||||
| > **M3 implementation note — Built-in git tools:** Six workspace-scoped git tools are implemented in `tools/git_tools.py`: `GitStatusTool`, `GitLogTool`, `GitDiffTool`, `GitBranchTool`, `GitCommitTool`, and `GitCloneTool`. All share a `_BaseGitTool` base class that enforces workspace boundary security (path traversal prevention via `resolve()` + `relative_to()`) and provides a common `_run_git()` helper using `asyncio.create_subprocess_exec` (never `shell=True`). Security hardening includes: `GIT_TERMINAL_PROMPT=0` to prevent credential prompts, `GIT_CONFIG_NOSYSTEM=1` and `GIT_PROTOCOL_FROM_USER=0` to restrict config/protocol attack surfaces, rejection of flag-like ref/branch values (starting with `-`), and URL scheme validation on clone (only `https://`, `http://`, `ssh://`, `git://`, and SCP-like syntax). All tools return `ToolExecutionResult` for errors rather than raising exceptions. | ||||||
|
||||||
| > **M3 implementation note — Built-in git tools:** Six workspace-scoped git tools are implemented in `tools/git_tools.py`: `GitStatusTool`, `GitLogTool`, `GitDiffTool`, `GitBranchTool`, `GitCommitTool`, and `GitCloneTool`. All share a `_BaseGitTool` base class that enforces workspace boundary security (path traversal prevention via `resolve()` + `relative_to()`) and provides a common `_run_git()` helper using `asyncio.create_subprocess_exec` (never `shell=True`). Security hardening includes: `GIT_TERMINAL_PROMPT=0` to prevent credential prompts, `GIT_CONFIG_NOSYSTEM=1` and `GIT_PROTOCOL_FROM_USER=0` to restrict config/protocol attack surfaces, rejection of flag-like ref/branch values (starting with `-`), and URL scheme validation on clone (only `https://`, `http://`, `ssh://`, `git://`, and SCP-like syntax). All tools return `ToolExecutionResult` for errors rather than raising exceptions. | |
| > **M3 implementation note — Built-in git tools:** Six workspace-scoped git tools are implemented in `tools/git_tools.py`: `GitStatusTool`, `GitLogTool`, `GitDiffTool`, `GitBranchTool`, `GitCommitTool`, and `GitCloneTool`. All share a `_BaseGitTool` base class that enforces workspace boundary security (path traversal prevention via `resolve()` + `relative_to()`) and provides a common `_run_git()` helper using `asyncio.create_subprocess_exec` (never `shell=True`). Security hardening includes: `GIT_TERMINAL_PROMPT=0` to prevent credential prompts, `GIT_CONFIG_NOSYSTEM=1` and `GIT_PROTOCOL_FROM_USER=0` to restrict config/protocol attack surfaces, rejection of flag-like ref/branch values (starting with `-`), URL scheme validation on clone (only `https://`, `http://`, `ssh://`, `git://`, and SCP-like syntax), and host/IP validation for clone targets (enforcing a configurable allowlist and/or explicitly blocking loopback, link-local, and private network ranges such as `127.0.0.0/8`, `::1`, `10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`, and `169.254.169.254`) to prevent SSRF and internal network probing. All tools return `ToolExecutionResult` for errors rather than raising exceptions. |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| """Git tool event constants.""" | ||
|
|
||
| from typing import Final | ||
|
|
||
| GIT_COMMAND_START: Final[str] = "git.command.start" | ||
| GIT_COMMAND_SUCCESS: Final[str] = "git.command.success" | ||
| GIT_COMMAND_FAILED: Final[str] = "git.command.failed" | ||
| GIT_COMMAND_TIMEOUT: Final[str] = "git.command.timeout" | ||
| GIT_WORKSPACE_VIOLATION: Final[str] = "git.workspace.violation" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The DESIGN_SPEC claims
GIT_PROTOCOL_FROM_USER=0is set to restrict the protocol attack surface, but this environment variable is not actually set in the_run_git()env dict ingit_tools.py(lines 182-186). Either the code or the documentation should be updated to be consistent.