mirror of
https://github.com/HKUDS/nanobot.git
synced 2026-04-08 20:23:41 +00:00
be6063a142
The exec tool previously passed the full parent process environment to child processes, which meant LLM-generated commands could access secrets stored in env vars (e.g. API keys from EnvironmentFile=). Switch from subprocess_shell with inherited env to bash login shell with a minimal environment (HOME, LANG, TERM only). The login shell sources the user's profile for PATH setup, making the pathAppend config option a fallback rather than the primary PATH mechanism.
31 lines
998 B
Python
31 lines
998 B
Python
"""Tests for exec tool environment isolation."""
|
|
|
|
import pytest
|
|
|
|
from nanobot.agent.tools.shell import ExecTool
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_exec_does_not_leak_parent_env(monkeypatch):
|
|
"""Env vars from the parent process must not be visible to commands."""
|
|
monkeypatch.setenv("NANOBOT_SECRET_TOKEN", "super-secret-value")
|
|
tool = ExecTool()
|
|
result = await tool.execute(command="printenv NANOBOT_SECRET_TOKEN")
|
|
assert "super-secret-value" not in result
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_exec_has_working_path():
|
|
"""Basic commands should be available via the login shell's PATH."""
|
|
tool = ExecTool()
|
|
result = await tool.execute(command="echo hello")
|
|
assert "hello" in result
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_exec_path_append():
|
|
"""The pathAppend config should be available in the command's PATH."""
|
|
tool = ExecTool(path_append="/opt/custom/bin")
|
|
result = await tool.execute(command="echo $PATH")
|
|
assert "/opt/custom/bin" in result
|