mirror of
https://github.com/leonvanzyl/autocoder.git
synced 2026-02-02 07:23:35 +00:00
security: harden EXTRA_READ_PATHS with validation and blocklist
Add security controls to the EXTRA_READ_PATHS feature (PR #126) to prevent path traversal attacks and accidental exposure of sensitive directories. Changes: - Add EXTRA_READ_PATHS_BLOCKLIST constant blocking credential directories (.ssh, .aws, .azure, .kube, .gnupg, .docker, .npmrc, .pypirc, .netrc) - Create get_extra_read_paths() function with comprehensive validation: - Path canonicalization via Path.resolve() to prevent .. traversal - Validates paths are absolute (rejects relative paths) - Validates paths exist and are directories - Blocks paths that are/contain sensitive directories - Blocks paths that would expose sensitive dirs (e.g., home dir) - Update create_client() to use validated getter function - Improve logging to show validated paths instead of raw input - Document security controls in CLAUDE.md under Security Model section Security considerations: - Addresses path traversal risk similar to CVE-2025-54794 - Prevents accidental exposure of SSH keys, cloud credentials, etc. - All validation happens before permissions are granted to the agent Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Auto
40
CLAUDE.md
40
CLAUDE.md
@@ -211,6 +211,46 @@ Defense-in-depth approach configured in `client.py`:
|
||||
2. Filesystem restricted to project directory only
|
||||
3. Bash commands validated using hierarchical allowlist system
|
||||
|
||||
#### Extra Read Paths (Cross-Project File Access)
|
||||
|
||||
The agent can optionally read files from directories outside the project folder via the `EXTRA_READ_PATHS` environment variable. This enables referencing documentation, shared libraries, or other projects.
|
||||
|
||||
**Configuration:**
|
||||
|
||||
```bash
|
||||
# Single path
|
||||
EXTRA_READ_PATHS=/Users/me/docs
|
||||
|
||||
# Multiple paths (comma-separated)
|
||||
EXTRA_READ_PATHS=/Users/me/docs,/opt/shared-libs,/Volumes/Data/reference
|
||||
```
|
||||
|
||||
**Security Controls:**
|
||||
|
||||
All paths are validated before being granted read access:
|
||||
- Must be absolute paths (not relative)
|
||||
- Must exist and be directories
|
||||
- Paths are canonicalized via `Path.resolve()` to prevent `..` traversal attacks
|
||||
- Sensitive directories are blocked (see blocklist below)
|
||||
- Only Read, Glob, and Grep operations are allowed (no Write/Edit)
|
||||
|
||||
**Blocked Sensitive Directories:**
|
||||
|
||||
The following directories (relative to home) are always blocked:
|
||||
- `.ssh`, `.aws`, `.azure`, `.kube` - Cloud/SSH credentials
|
||||
- `.gnupg`, `.gpg`, `.password-store` - Encryption keys
|
||||
- `.docker`, `.config/gcloud` - Container/cloud configs
|
||||
- `.npmrc`, `.pypirc`, `.netrc` - Package manager credentials
|
||||
|
||||
**Example Output:**
|
||||
|
||||
```
|
||||
Created security settings at /path/to/project/.claude_settings.json
|
||||
- Sandbox enabled (OS-level bash isolation)
|
||||
- Filesystem restricted to: /path/to/project
|
||||
- Extra read paths (validated): /Users/me/docs, /opt/shared-libs
|
||||
```
|
||||
|
||||
#### Per-Project Allowed Commands
|
||||
|
||||
The agent's bash command access is controlled through a hierarchical configuration system:
|
||||
|
||||
Reference in New Issue
Block a user