Skip to content

fix: harden state persistence, redirect handling, and consent coverage#528

Open
CurrentlyAWey wants to merge 1 commit into
strands-agents:mainfrom
CurrentlyAWey:security/consent-and-deser-fixes
Open

fix: harden state persistence, redirect handling, and consent coverage#528
CurrentlyAWey wants to merge 1 commit into
strands-agents:mainfrom
CurrentlyAWey:security/consent-and-deser-fixes

Conversation

@CurrentlyAWey

Copy link
Copy Markdown

Description

Defense-in-depth hardening across four tools. Full technical details have been shared privately with the maintainers per the project's security policy (CONTRIBUTING.md → Security issue notifications); this PR intentionally keeps the public description to the defensive change itself.

  • python_repl — persist REPL state as JSON instead of pickle (dill). Loading a persisted state file no longer deserializes with pickle, so a state file cannot execute code on load. The state file is now repl_state.json (a pre-existing .pkl is ignored rather than loaded).
  • http_request — drop the X-API-Key header on a cross-host redirect, mirroring how requests already strips Authorization, so an auth_type="api_key" credential (including env-var tokens bound via HTTP_REQUEST_TOKEN_CONFIG) is not forwarded off the originally-requested host.
  • use_aws — decide whether an operation is mutative via a read-only allowlist (fail closed) rather than a fixed verb denylist, so impactful operations whose names aren't in the old list (e.g. run_*, invoke, send_*, execute_*, authorize_*) are covered by the confirmation prompt. Read-only operations (get_/list_/describe_/head_/…) still run without a prompt.
  • editor — include undo_edit among the commands that require confirmation (it overwrites a file from its .bak and removes the backup).

Related Issues

Coordinated privately with the maintainers; specifics are in a private security report rather than a public issue.

Type of Change

Bug fix

Testing

How have you tested the change?

  • Updated the affected modules' unit tests (JSON persistence format; fail-closed consent check); the four modules' suites pass on Python 3.13.

  • ruff check and ruff format --check are clean on the changed files, with no changes to unrelated files.

  • I ran hatch run prepare (ran the equivalent pieces: ruff check, ruff format --check, and the module test suites)

Checklist

  • I have read the CONTRIBUTING document
  • I have added any necessary tests that prove my fix is effective or my feature works
  • I have updated the documentation accordingly
  • I have added an appropriate example to the documentation to outline the feature
  • My changes generate no new warnings
  • Any dependent changes have been merged and published

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Defense-in-depth hardening across four tools. Full details shared privately
with the maintainers per the project's security policy.

- python_repl: persist REPL state as JSON instead of pickle (dill), so loading a
  persisted state file cannot execute code. The state file is now repl_state.json.
- http_request: drop the X-API-Key header on a cross-host redirect (mirroring how
  requests already strips Authorization), so an api_key credential is not
  forwarded off the originally-requested host.
- use_aws: decide whether an operation is mutative via a read-only allowlist
  (fail closed) rather than a fixed verb denylist, so impactful operations whose
  names are not in that list are still covered by the confirmation prompt.
- editor: include undo_edit among the commands that require confirmation, since it
  overwrites a file from its .bak and deletes the backup.

Tests updated for the JSON persistence format.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant