From 3f789bd9f913f3feb5bf360fe8a9f280e9dfc6ff Mon Sep 17 00:00:00 2001 From: Haisam Abbas Date: Wed, 20 May 2026 17:21:34 +0500 Subject: [PATCH] Revert "fix shell guard url path detection" This reverts commit 65cecc01fbed9b6358d7c93b16301a4b979ee4e4. --- nanobot/agent/tools/shell.py | 2 +- tests/tools/test_tool_validation.py | 36 ----------------------------- 2 files changed, 1 insertion(+), 37 deletions(-) diff --git a/nanobot/agent/tools/shell.py b/nanobot/agent/tools/shell.py index 7e0ef57a8..0252b9746 100644 --- a/nanobot/agent/tools/shell.py +++ b/nanobot/agent/tools/shell.py @@ -418,7 +418,7 @@ class ExecTool(Tool): # Windows: match drive-root paths like `C:\` as well as `C:\path\to\file`, and UNC paths like `\\server\share` # NOTE: `*` is required so `C:\` (nothing after the slash) is still extracted. win_paths = re.findall( - r"(?<;]*|\\\\[^\s\"'|><;]+(?:\\[^\s\"'|><;]+)*)", + r"(?:[A-Za-z]:[^\s\"'|><;]*|\\\\[^\s\"'|><;]+(?:\\[^\s\"'|><;]+)*)", command ) posix_paths = re.findall(r"(?:^|[\s|>'\"])(/[^\s\"'>;|<]+)", command) # POSIX: /absolute only diff --git a/tests/tools/test_tool_validation.py b/tests/tools/test_tool_validation.py index 188a8952f..42620dcc6 100644 --- a/tests/tools/test_tool_validation.py +++ b/tests/tools/test_tool_validation.py @@ -3,8 +3,6 @@ import subprocess import sys from typing import Any -import pytest - from nanobot.agent.tools import ( ArraySchema, IntegerSchema, @@ -17,7 +15,6 @@ from nanobot.agent.tools import ( from nanobot.agent.tools.base import Tool from nanobot.agent.tools.registry import ToolRegistry from nanobot.agent.tools.shell import ExecTool -from nanobot.security.network import configure_ssrf_whitelist class SampleTool(Tool): @@ -221,39 +218,6 @@ def test_exec_extract_absolute_paths_ignores_relative_posix_segments() -> None: assert "/bin/python" not in paths -def test_exec_extract_absolute_paths_ignores_urls() -> None: - cmd = 'curl -s -o /dev/null -w "%{http_code}" https://www.google.com' - paths = ExecTool._extract_absolute_paths(cmd) - assert paths == ["/dev/null"] - - -@pytest.mark.parametrize( - "command", - [ - 'curl -s -o /dev/null -w "%{http_code}" https://www.google.com', - 'wget -q -O - http://example.com 2>&1 | head -c 100', - 'python3 -c "import urllib.request; print(urllib.request.urlopen(\'http://example.com\').read()[:100])"', - ], -) -def test_exec_guard_allows_public_urls(tmp_path, command: str) -> None: - tool = ExecTool(restrict_to_workspace=True) - error = tool._guard_command(command, str(tmp_path)) - assert error is None - - -def test_exec_guard_allows_whitelisted_internal_urls(tmp_path) -> None: - configure_ssrf_whitelist(["10.10.10.0/24"]) - try: - tool = ExecTool(restrict_to_workspace=True) - error = tool._guard_command( - 'curl -s -H "Authorization: Bearer ..." http://10.10.10.3:8123/api/', - str(tmp_path), - ) - assert error is None - finally: - configure_ssrf_whitelist([]) - - def test_exec_extract_absolute_paths_captures_posix_absolute_paths() -> None: cmd = "cat /tmp/data.txt > /tmp/out.txt" paths = ExecTool._extract_absolute_paths(cmd)