Skip to content

fix: block RCE via module denylist in YAML config loader#5682

Open
aimenhamzi01-dot wants to merge 7 commits into
google:mainfrom
aimenhamzi01-dot:main
Open

fix: block RCE via module denylist in YAML config loader#5682
aimenhamzi01-dot wants to merge 7 commits into
google:mainfrom
aimenhamzi01-dot:main

Conversation

@aimenhamzi01-dot
Copy link
Copy Markdown

@aimenhamzi01-dot aimenhamzi01-dot commented May 13, 2026

Problem

The resolve_code_reference() function in config_agent_utils.py
uses importlib and getattr to resolve arbitrary Python objects
from YAML config, allowing RCE via dangerous modules like os.system.

Solution

  • Add _BLOCKED_MODULES to block dangerous modules (os, sys,
    subprocess, etc.) in resolve_code_reference()
  • Expand _BLOCKED_YAML_KEYS to cover all dynamic code fields
  • Set _ENFORCE_DENYLIST = True globally

Testing

Verified that loading a YAML config with os.system as model_code
now raises ValueError instead of executing the command.

Security

This fix addresses an RCE vulnerability reported via Google OSS VRP
(Reference: 506632409)

@aimenhamzi01-dot
fix: enable YAML denylist by default in CLI mode
f7dea97
@aimenhamzi01-dot
Merge pull request #1 from aimenhamzi01-dot/aimenhamzi01-dot-patch-1
525fd5d 
fix: enable YAML denylist by default in CLI mode
@aimenhamzi01-dot
fix: block RCE via module denylist in resolve_code_reference
174d7be 
- Add _BLOCKED_MODULES to prevent dangerous module access
- Expand _BLOCKED_YAML_KEYS to cover all dynamic code fields
- Set _ENFORCE_DENYLIST = True globally

Fixes RCE vulnerability via unsafe function resolution
in YAML configuration loader (CVE candidate).
@google-cla
Copy link
Copy Markdown

google-cla Bot commented May 13, 2026

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@rohityan rohityan self-assigned this May 18, 2026
@rohityan
Copy link
Copy Markdown
Collaborator

rohityan commented May 18, 2026

Hi @aimenhamzi01-dot , Thank you for your contribution! We appreciate you taking the time to submit this pull request. Can you please fix the failing tests before we can proceed with the review.

@rohityan rohityan added request clarification [Status] The maintainer need clarification or more information from the author agent config [Component] This issue is related to the Agent Config interface and implementation labels May 18, 2026
@rohityan
Copy link
Copy Markdown
Collaborator

rohityan commented May 18, 2026

Hi @aimenhamzi01-dot , Thank you for your contribution! We appreciate you taking the time to submit this pull request. Can you please fix the failing tests before we can proceed with the review.

@aimenhamzi01-dot
Copy link
Copy Markdown
Author

aimenhamzi01-dot commented May 18, 2026

Hi @rohityan, I've fixed the formatting issues raised by the pre-commit checks. Could you please approve the workflows to run the tests? Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@rohityan rohityan

Labels

agent config [Component] This issue is related to the Agent Config interface and implementation request clarification [Status] The maintainer need clarification or more information from the author

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aimenhamzi01-dot @rohityan