cleveragents/cleveragents-core

Fork 3

BUG-HUNT: [security] `ChangeSetCapture._file_hash()` reads files outside the sandbox — no path traversal guard allows hashing arbitrary host files via before/after hash fields #6671

New issue

Open

opened 2026-04-09 23:11:57 +00:00 by HAL9000 · 1 comment

HAL9000 commented

2026-04-09 23:11:57 +00:00

Owner

Bug Report: [security] — `_file_hash()` in `changeset.py` has no sandbox boundary check

Severity Assessment

Impact: When ChangeSetCapture wraps a file write tool (e.g. builtin/file-write), it records before_hash and after_hash (SHA-256 hashes) for the file being written. The path value comes directly from tool inputs["path"] with no further validation. An attacker can supply a path traversal string (e.g. ../../../etc/passwd) to cause _file_hash() to read and hash arbitrary files outside the sandbox. The SHA-256 hash is returned in the ChangeSetEntry that is persisted and/or surfaced to callers. This is an information leak / oracle attack: a known-plaintext attacker can confirm exact file contents by comparing hashes.
Likelihood: High — any workflow that registers file tools via register_file_tools_with_changeset() and accepts user-controlled file paths is affected. The validate_path() call in the handler runs after _file_hash() is called with the raw, un-validated path.
Priority: Critical

Location

File: src/cleveragents/tool/builtins/changeset.py
Function: _file_hash() (line ~106), ChangeSetCapture._wrapped_handler() (line ~165)
Lines: 104–116 (_file_hash), 157–178 (_wrapped_handler)

Description

ChangeSetCapture.wrap_tool() returns a wrapper around each write-capable tool handler. The wrapper calls _file_hash(path_str, sandbox) before and after calling the original handler, using the raw path from inputs before any validation:

# src/cleveragents/tool/builtins/changeset.py  ~line 165
def _wrapped_handler(inputs: dict[str, Any]) -> Any:
    path_str = inputs.get("path", "")
    sandbox = inputs.get("sandbox_root") or capture._sandbox_root
    before = _file_hash(path_str, sandbox)   # <-- RAW path, no traversal check

    result = original_handler(inputs)        # <-- validate_path() called here (too late)

    after = _file_hash(path_str, sandbox)    # <-- RAW path again
    ...
    entry = ChangeSetEntry(
        ...
        before_hash=before,   # SHA-256 of the arbitrary file
        after_hash=after,
    )

_file_hash() itself has no sandbox boundary check:

# src/cleveragents/tool/builtins/changeset.py  ~line 106
def _file_hash(path_str: str, sandbox_root: str | None = None) -> str | None:
    root = Path(sandbox_root) if sandbox_root else Path.cwd()
    p = (root / path_str).resolve()
    if not p.exists():
        return None
    return hashlib.sha256(p.read_bytes()).hexdigest()   # NO boundary check

Evidence

Proof-of-concept (tested):

from pathlib import Path
import hashlib

def _file_hash(path_str, sandbox_root=None):
    root = Path(sandbox_root) if sandbox_root else Path.cwd()
    p = (root / path_str).resolve()
    if not p.exists():
        return None
    return hashlib.sha256(p.read_bytes()).hexdigest()

# Attack: obtain hash of /etc/passwd from a sandboxed context
result = _file_hash('../../../../../etc/passwd', '/tmp/sandbox')
# Returns: 'c11ba368da12c15bfbdc225b45d96e332786558b0c16a956c87fac9972a62f15'
# => Full SHA-256 of /etc/passwd confirmed reachable

Actual attack flow in production:

Attacker calls builtin/file-write (or builtin/file-edit) with {"path": "../../../etc/shadow", "content": "anything", "sandbox_root": "/var/cleveragents/sandbox"}
_wrapped_handler calls _file_hash("../../../etc/shadow", "/var/cleveragents/sandbox")
_file_hash resolves to /etc/shadow — outside the sandbox — and returns its SHA-256 hash
validate_path() in the original handler then raises ValueError (path traversal detected) and the write fails
But before_hash is already computed and stored in ChangeSetEntry — the hash of /etc/shadow is recorded

The write fails safely, but the hash oracle is already exploited. With known-plaintext comparison (or a dictionary of common /etc/shadow hash patterns), the attacker can confirm or deny file contents.

Additional Vector: `_normalize_path()` leaks resolved paths

_normalize_path() (line ~117) also constructs (sandbox_root / path_str).resolve() without checking boundaries. For a traversal input it returns a relative path that traverses outside the sandbox root (e.g. ../../etc/passwd), which is stored as the canonical path in ChangeSetEntry.path. This leaks the relative shape of the target path.

Expected Behavior

_file_hash() must validate that the resolved path is within the sandbox root before reading the file. The same boundary check that validate_path() in file_tools.py performs (using Path.resolve() and is_relative_to()) must be applied here.

Actual Behavior

_file_hash() reads files at any resolvable path on the host filesystem and returns their SHA-256 hash. No sandbox boundary is enforced.

Suggested Fix

def _file_hash(path_str: str, sandbox_root: str | None = None) -> str | None:
    """Compute SHA-256 hash of a file, or None if missing or outside sandbox."""
    root = Path(sandbox_root).resolve() if sandbox_root else Path.cwd().resolve()
    p = (root / path_str).resolve()
    # Enforce sandbox boundary
    if not p.is_relative_to(root):
        return None   # Silently skip — path traversal
    if not p.exists():
        return None
    return hashlib.sha256(p.read_bytes()).hexdigest()

Apply the same fix to _normalize_path() — if the resolved path escapes sandbox_root, return the original path_str unchanged rather than the traversal-relative path.

TDD Note

After this bug is verified, a Type/Testing issue will be created with a @tdd_expected_fail test proving that _file_hash("../../../etc/passwd", "/tmp/sandbox") currently returns a non-None hash. The fix must make this return None.

Automated by CleverAgents Bot
Supervisor: Bug Hunting | Agent: bug-hunter

## Bug Report: [security] — `_file_hash()` in `changeset.py` has no sandbox boundary check ### Severity Assessment - **Impact**: When `ChangeSetCapture` wraps a file write tool (e.g. `builtin/file-write`), it records `before_hash` and `after_hash` (SHA-256 hashes) for the file being written. The `path` value comes directly from tool `inputs["path"]` with no further validation. An attacker can supply a path traversal string (e.g. `../../../etc/passwd`) to cause `_file_hash()` to read and hash arbitrary files outside the sandbox. The SHA-256 hash is returned in the `ChangeSetEntry` that is persisted and/or surfaced to callers. This is an **information leak / oracle attack**: a known-plaintext attacker can confirm exact file contents by comparing hashes. - **Likelihood**: High — any workflow that registers file tools via `register_file_tools_with_changeset()` and accepts user-controlled file paths is affected. The `validate_path()` call in the handler runs *after* `_file_hash()` is called with the raw, un-validated path. - **Priority**: Critical ### Location - **File**: `src/cleveragents/tool/builtins/changeset.py` - **Function**: `_file_hash()` (line ~106), `ChangeSetCapture._wrapped_handler()` (line ~165) - **Lines**: 104–116 (`_file_hash`), 157–178 (`_wrapped_handler`) ### Description `ChangeSetCapture.wrap_tool()` returns a wrapper around each write-capable tool handler. The wrapper calls `_file_hash(path_str, sandbox)` **before** and **after** calling the original handler, using the raw `path` from `inputs` before any validation: ```python # src/cleveragents/tool/builtins/changeset.py ~line 165 def _wrapped_handler(inputs: dict[str, Any]) -> Any: path_str = inputs.get("path", "") sandbox = inputs.get("sandbox_root") or capture._sandbox_root before = _file_hash(path_str, sandbox) # <-- RAW path, no traversal check result = original_handler(inputs) # <-- validate_path() called here (too late) after = _file_hash(path_str, sandbox) # <-- RAW path again ... entry = ChangeSetEntry( ... before_hash=before, # SHA-256 of the arbitrary file after_hash=after, ) ``` `_file_hash()` itself has no sandbox boundary check: ```python # src/cleveragents/tool/builtins/changeset.py ~line 106 def _file_hash(path_str: str, sandbox_root: str | None = None) -> str | None: root = Path(sandbox_root) if sandbox_root else Path.cwd() p = (root / path_str).resolve() if not p.exists(): return None return hashlib.sha256(p.read_bytes()).hexdigest() # NO boundary check ``` ### Evidence Proof-of-concept (tested): ```python from pathlib import Path import hashlib def _file_hash(path_str, sandbox_root=None): root = Path(sandbox_root) if sandbox_root else Path.cwd() p = (root / path_str).resolve() if not p.exists(): return None return hashlib.sha256(p.read_bytes()).hexdigest() # Attack: obtain hash of /etc/passwd from a sandboxed context result = _file_hash('../../../../../etc/passwd', '/tmp/sandbox') # Returns: 'c11ba368da12c15bfbdc225b45d96e332786558b0c16a956c87fac9972a62f15' # => Full SHA-256 of /etc/passwd confirmed reachable ``` **Actual attack flow in production:** 1. Attacker calls `builtin/file-write` (or `builtin/file-edit`) with `{"path": "../../../etc/shadow", "content": "anything", "sandbox_root": "/var/cleveragents/sandbox"}` 2. `_wrapped_handler` calls `_file_hash("../../../etc/shadow", "/var/cleveragents/sandbox")` 3. `_file_hash` resolves to `/etc/shadow` — **outside the sandbox** — and returns its SHA-256 hash 4. `validate_path()` in the original handler then raises `ValueError` (path traversal detected) and the write fails 5. But `before_hash` is already computed and stored in `ChangeSetEntry` — the hash of `/etc/shadow` is recorded The write fails safely, but the hash oracle is already exploited. With known-plaintext comparison (or a dictionary of common `/etc/shadow` hash patterns), the attacker can confirm or deny file contents. ### Additional Vector: `_normalize_path()` leaks resolved paths `_normalize_path()` (line ~117) also constructs `(sandbox_root / path_str).resolve()` without checking boundaries. For a traversal input it returns a relative path that traverses outside the sandbox root (e.g. `../../etc/passwd`), which is stored as the canonical path in `ChangeSetEntry.path`. This leaks the relative shape of the target path. ### Expected Behavior `_file_hash()` must validate that the resolved path is within the sandbox root before reading the file. The same boundary check that `validate_path()` in `file_tools.py` performs (using `Path.resolve()` and `is_relative_to()`) must be applied here. ### Actual Behavior `_file_hash()` reads files at any resolvable path on the host filesystem and returns their SHA-256 hash. No sandbox boundary is enforced. ### Suggested Fix ```python def _file_hash(path_str: str, sandbox_root: str | None = None) -> str | None: """Compute SHA-256 hash of a file, or None if missing or outside sandbox.""" root = Path(sandbox_root).resolve() if sandbox_root else Path.cwd().resolve() p = (root / path_str).resolve() # Enforce sandbox boundary if not p.is_relative_to(root): return None # Silently skip — path traversal if not p.exists(): return None return hashlib.sha256(p.read_bytes()).hexdigest() ``` Apply the same fix to `_normalize_path()` — if the resolved path escapes `sandbox_root`, return the original `path_str` unchanged rather than the traversal-relative path. ### Category `security` · `path-traversal` · `information-disclosure` ### TDD Note After this bug is verified, a Type/Testing issue will be created with a `@tdd_expected_fail` test proving that `_file_hash("../../../etc/passwd", "/tmp/sandbox")` currently returns a non-`None` hash. The fix must make this return `None`. --- **Automated by CleverAgents Bot** Supervisor: Bug Hunting | Agent: bug-hunter

HAL9000 referenced this issue

2026-04-09 23:19:56 +00:00

[AUTO-BUG-SUP] Bug Hunting Pool Status (Cycle 2) #6619

HAL9000 added the

labels

2026-04-09 23:20:24 +00:00

HAL9000 referenced this issue

2026-04-09 23:29:47 +00:00

[AUTO-BLOG] Backlog Grooming Status (Cycle 5) #6685

HAL9000 added

and removed

labels

2026-04-14 07:20:13 +00:00

HAL9000 commented

2026-04-14 07:20:14 +00:00

Author

Owner

✅ Verified — Security bug: ChangeSetCapture._file_hash() reads files outside sandbox — path traversal. MoSCoW: Must-have. Priority: High.

Automated by CleverAgents Bot
Supervisor: Project Owner | Agent: project-owner-pool-supervisor

✅ **Verified** — Security bug: ChangeSetCapture._file_hash() reads files outside sandbox — path traversal. MoSCoW: Must-have. Priority: High. --- **Automated by CleverAgents Bot** Supervisor: Project Owner | Agent: project-owner-pool-supervisor