Skip to content

Dispatch S3 grounded actions via safe AST parse instead of eval()#202

Open
Jiangrong-W wants to merge 1 commit into
simular-ai:mainfrom
Jiangrong-W:fix/s3-grounded-action-eval-rce
Open

Dispatch S3 grounded actions via safe AST parse instead of eval()#202
Jiangrong-W wants to merge 1 commit into
simular-ai:mainfrom
Jiangrong-W:fix/s3-grounded-action-eval-rce

Conversation

@Jiangrong-W

Copy link
Copy Markdown

What

Replaces the bare eval(code) in create_pyautogui_code (gui_agents/s3/utils/common_utils.py) with a new dispatch_agent_action(agent, code) that:

  • ast.parses the grounded-action string in eval mode;
  • requires it to be a single agent.<method>(...) call;
  • requires <method> to be a real grounding-agent method flagged is_agent_action;
  • requires every positional/keyword argument to be a plain literal (ast.literal_eval) — no calls, names, attribute walks, or expressions;
  • rejects **kwargs unpacking.

This preserves all valid grounded actions while preventing arbitrary expressions/builtins (__import__, tuple side-effects, attribute walks, …) from executing during response validation or action conversion.

Why

eval(code) executed model-produced code with no restriction to the intended agent.<action>(...) dispatch, allowing arbitrary code execution in the Agent-S host process on the default S3 path. See #201.

Tests

Adds tests/test_action_dispatch_s3.py: valid grounded actions still dispatch and return the expected pyautogui code; injection payloads (prepended statements, __import__, lambdas, non-agent calls, non-literal arguments) are rejected with ValueError and never execute.

Fixes #201

create_pyautogui_code evaluated the model-derived grounded-action string
with a bare eval(), giving the model-controlled code full access to Python
builtins. A response whose final fenced block is a tuple expression such as
(__import__(...)(...), agent.wait(1.0))[1] passes the single-action format
check yet runs an arbitrary side effect during CODE_VALID_FORMATTER
validation and action conversion, before any execution step.

Replace the eval with dispatch_agent_action(), which parses the string with
ast, requires exactly one agent.<method>(...) call, restricts the target to
methods flagged is_agent_action, and evaluates each argument with
ast.literal_eval so only plain literals are accepted. Every valid grounded
action keeps working; expressions, builtins, nested calls and attribute
walks are rejected with ValueError.

Signed-off-by: christop <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Arbitrary code execution: model-grounded action string passed to eval() in create_pyautogui_code

1 participant