security: fix Docker CWD rw mount and unsanitized pip install in code interpreter#5256
Open
ffulbtech wants to merge 1 commit intocrewAIInc:mainfrom
Open
security: fix Docker CWD rw mount and unsanitized pip install in code interpreter#5256ffulbtech wants to merge 1 commit intocrewAIInc:mainfrom
ffulbtech wants to merge 1 commit intocrewAIInc:mainfrom
Conversation
… interpreter 1. Change Docker volume mount from rw to ro to prevent LLM-generated code from writing to host filesystem (CWE-732) 2. Validate library names before pip install to prevent dependency confusion and command injection via malicious package names (CWE-20) The code interpreter tool markets Docker as safe isolation, but mounting the host CWD read-write undermines this. Additionally, library names from LLM output are passed directly to pip without validation.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security Fix
Two vulnerabilities in the code interpreter tool:
1. Docker volume mounted read-write (CWE-732)
code_interpreter_tool.pyline 271 mounts the host CWD as/workspacewithmode: "rw". LLM-generated code running in the "safe" Docker container can read AND write all files in the host CWD including.env, source code, and credentials.Fix: Changed to
mode: "ro"(read-only).2. Unsanitized library names passed to pip (CWE-20)
In
_install_libraries(Docker path) andrun_code_unsafe(host path), library names from LLM output are passed directly topip installwithout validation. This enables dependency confusion/typosquatting attacks.Fix: Validate library names against
^[a-zA-Z0-9][a-zA-Z0-9._-]*pattern.Combined Impact
A prompt-injected LLM can install a malicious package which then exfiltrates data from the mounted host directory.
Note: Private vulnerability reporting is not enabled for this repo, so submitting as a PR.