Dispatch S3 grounded actions via safe AST parse instead of eval()#202
Open
Jiangrong-W wants to merge 1 commit into
Open
Dispatch S3 grounded actions via safe AST parse instead of eval()#202Jiangrong-W wants to merge 1 commit into
Jiangrong-W wants to merge 1 commit into
Conversation
create_pyautogui_code evaluated the model-derived grounded-action string with a bare eval(), giving the model-controlled code full access to Python builtins. A response whose final fenced block is a tuple expression such as (__import__(...)(...), agent.wait(1.0))[1] passes the single-action format check yet runs an arbitrary side effect during CODE_VALID_FORMATTER validation and action conversion, before any execution step. Replace the eval with dispatch_agent_action(), which parses the string with ast, requires exactly one agent.<method>(...) call, restricts the target to methods flagged is_agent_action, and evaluates each argument with ast.literal_eval so only plain literals are accepted. Every valid grounded action keeps working; expressions, builtins, nested calls and attribute walks are rejected with ValueError. Signed-off-by: christop <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Replaces the bare
eval(code)increate_pyautogui_code(gui_agents/s3/utils/common_utils.py) with a newdispatch_agent_action(agent, code)that:ast.parses the grounded-action string inevalmode;agent.<method>(...)call;<method>to be a real grounding-agent method flaggedis_agent_action;ast.literal_eval) — no calls, names, attribute walks, or expressions;**kwargsunpacking.This preserves all valid grounded actions while preventing arbitrary expressions/builtins (
__import__, tuple side-effects, attribute walks, …) from executing during response validation or action conversion.Why
eval(code)executed model-produced code with no restriction to the intendedagent.<action>(...)dispatch, allowing arbitrary code execution in the Agent-S host process on the default S3 path. See #201.Tests
Adds
tests/test_action_dispatch_s3.py: valid grounded actions still dispatch and return the expected pyautogui code; injection payloads (prepended statements,__import__, lambdas, non-agentcalls, non-literal arguments) are rejected withValueErrorand never execute.Fixes #201