diff --git a/workspace-template/adapters/smolagents/__init__.py b/workspace-template/adapters/smolagents/__init__.py new file mode 100644 index 00000000..5a3023c8 --- /dev/null +++ b/workspace-template/adapters/smolagents/__init__.py @@ -0,0 +1,11 @@ +"""Smolagents adapter for Molecule AI workspace runtime. + +Provides env sanitization and safe executor primitives for use with +HuggingFace's smolagents library. + +Quick start:: + + from adapters.smolagents.env_sanitize import make_safe_env, SafeLocalPythonExecutor +""" + +__all__ = ["make_safe_env", "SafeLocalPythonExecutor"] diff --git a/workspace-template/adapters/smolagents/env_sanitize.py b/workspace-template/adapters/smolagents/env_sanitize.py new file mode 100644 index 00000000..a8dc92d1 --- /dev/null +++ b/workspace-template/adapters/smolagents/env_sanitize.py @@ -0,0 +1,226 @@ +"""Allowlist-based environment sanitization for smolagents (#826 — C3 CRITICAL). + +Security model +-------------- +We use an **allowlist** (not a denylist) — only variables explicitly +enumerated as safe are passed through to agent-executed code. Any key not +on the list is silently dropped. + +This is intentionally strict: adding a new safe variable is a deliberate +engineering act that surfaces in code review, rather than hoping a regex +denylist catches every new secret name. + +Thread safety +------------- +``SafeLocalPythonExecutor.__call__`` mutates ``os.environ`` temporarily. +``_ENV_PATCH_LOCK`` serialises concurrent calls so simultaneous executions +do not see each other's env patches. + +Extending the allowlist +----------------------- +Set ``SMOLAGENTS_ENV_EXTRA_ALLOWLIST`` to a comma-separated list of +additional uppercase env var names that should be passed through. This is +intended for workspace-specific non-secret variables (e.g. ``WORKSPACE_ID`` +that you know are safe): + + SMOLAGENTS_ENV_EXTRA_ALLOWLIST="MY_COMPANY_ENV,REGION" + +Never add secret names here — use workspace secrets injection instead. +""" + +from __future__ import annotations + +import os +import threading +from typing import Any, Dict, List, Optional + +# --------------------------------------------------------------------------- +# Allowlist configuration +# --------------------------------------------------------------------------- + +# Core safe env variables — non-secret system and runtime variables that +# agent code may legitimately need (e.g. PATH for subprocess-free tools, +# PYTHONPATH for module resolution, TZ for datetime ops). +_SAFE_ENV_ALLOWLIST: frozenset = frozenset( + [ + # Shell / system fundamentals + "PATH", + "HOME", + "USER", + "LOGNAME", + "SHELL", + "TERM", + "TZ", + "TMPDIR", + "TEMP", + "TMP", + # Language / locale + "LANG", + "LANGUAGE", + "LC_ALL", + "LC_CTYPE", + "LC_MESSAGES", + "LC_NUMERIC", + "LC_TIME", + # Python runtime + "PYTHONPATH", + "PYTHONHOME", + "PYTHONDONTWRITEBYTECODE", + "PYTHONUNBUFFERED", + "PYTHONIOENCODING", + # Molecule workspace non-secret identity vars + "WORKSPACE_ID", + "WORKSPACE_NAME", + "PLATFORM_URL", + ] +) + +# Imports permanently excluded from the executor's authorized list. +# These are well-known sandbox-escape vectors. +_BANNED_IMPORTS: frozenset = frozenset( + ["subprocess", "socket", "ctypes", "importlib", "importlib.util"] +) + +# Baseline imports every SafeLocalPythonExecutor allows — pure-computation +# modules with no I/O escape surface. +_BASELINE_SAFE_IMPORTS: List[str] = [ + "math", + "json", + "re", + "datetime", + "collections", + "itertools", + "functools", + "typing", + "string", + "textwrap", + "decimal", + "fractions", + "statistics", + "random", + "hashlib", + "base64", + "urllib.parse", + "copy", + "dataclasses", + "enum", + "abc", + "io", +] + +# Thread lock for env patching +_ENV_PATCH_LOCK = threading.Lock() + + +# --------------------------------------------------------------------------- +# Public API +# --------------------------------------------------------------------------- + + +def make_safe_env( + extra_allowed: Optional[List[str]] = None, +) -> Dict[str, str]: + """Return a *copy* of the environment containing only allowlisted keys. + + ``os.environ`` is **never mutated** by this function. + + Parameters + ---------- + extra_allowed: + Additional variable names to include beyond the built-in allowlist. + Also merged with the ``SMOLAGENTS_ENV_EXTRA_ALLOWLIST`` env var. + + Returns + ------- + dict + A copy of ``os.environ`` filtered to allowlisted keys only. + Keys not on the list are silently dropped. + """ + allowed = set(_SAFE_ENV_ALLOWLIST) + + # Merge caller-provided extras + if extra_allowed: + allowed.update(k.upper() for k in extra_allowed) + + # Merge env-var-configured extras + env_extra = os.environ.get("SMOLAGENTS_ENV_EXTRA_ALLOWLIST", "") + if env_extra: + for key in env_extra.split(","): + key = key.strip().upper() + if key: + allowed.add(key) + + return {k: v for k, v in os.environ.items() if k in allowed} + + +class SafeLocalPythonExecutor: + """Allowlist-gated wrapper around smolagents ``LocalPythonExecutor``. + + Guarantees that agent-generated code cannot read secret environment + variables (``ANTHROPIC_API_KEY``, ``GH_TOKEN``, ``DATABASE_URL``, etc.) + because they are absent from ``os.environ`` during execution. + + Parameters + ---------- + additional_imports: + Extra module names to allow beyond ``_BASELINE_SAFE_IMPORTS``. + ``_BANNED_IMPORTS`` takes precedence — listed names are silently + removed. + extra_allowed_env: + Extra variable names to pass through beyond the core allowlist. + _inner: + Inject a mock ``LocalPythonExecutor`` for tests. When ``None``, + the real smolagents executor is constructed lazily. + """ + + def __init__( + self, + additional_imports: Optional[List[str]] = None, + extra_allowed_env: Optional[List[str]] = None, + *, + _inner: Any = None, + ) -> None: + # Compute final import list (baseline + extras − banned) + combined = list(_BASELINE_SAFE_IMPORTS) + if additional_imports: + for imp in additional_imports: + if imp not in _BANNED_IMPORTS: + combined.append(imp) + + self._authorized_imports: List[str] = combined + self._extra_allowed_env: Optional[List[str]] = extra_allowed_env + self._inner = _inner # may be None until first call + + def _get_inner(self) -> Any: + """Lazy-construct the real executor on first use (avoids import errors in tests).""" + if self._inner is None: + from smolagents import LocalPythonExecutor # type: ignore[import] + + self._inner = LocalPythonExecutor( + additional_authorized_imports=self._authorized_imports + ) + return self._inner + + def __call__(self, code: str, *args: Any, **kwargs: Any) -> Any: + """Execute ``code`` with only allowlisted env vars visible. + + All keys not on the allowlist are removed from ``os.environ`` for + the duration of execution and restored afterward, even on exception. + The lock ensures thread safety across concurrent calls. + """ + safe_env = make_safe_env(self._extra_allowed_env) + inner = self._get_inner() + + with _ENV_PATCH_LOCK: + # Snapshot full current env + original_env = dict(os.environ) + # Remove everything not in the safe set + keys_to_remove = [k for k in os.environ if k not in safe_env] + for k in keys_to_remove: + del os.environ[k] + try: + return inner(code, *args, **kwargs) + finally: + # Always restore + os.environ.clear() + os.environ.update(original_env) diff --git a/workspace-template/tests/adapters/__init__.py b/workspace-template/tests/adapters/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/workspace-template/tests/adapters/smolagents/__init__.py b/workspace-template/tests/adapters/smolagents/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/workspace-template/tests/adapters/smolagents/test_env_sanitize.py b/workspace-template/tests/adapters/smolagents/test_env_sanitize.py new file mode 100644 index 00000000..905ac0bc --- /dev/null +++ b/workspace-template/tests/adapters/smolagents/test_env_sanitize.py @@ -0,0 +1,446 @@ +"""Tests for allowlist-based env sanitization (issue #826 — C3 CRITICAL). + +All tests patch os.environ directly — the module under test must never +mutate the real process env outside of SafeLocalPythonExecutor.__call__, +and even there it must restore the original env on exit. +""" + +from __future__ import annotations + +import os +import threading +from typing import Any +from unittest.mock import MagicMock, patch + +import pytest + +# Import directly from submodule to avoid any sys.modules stub side-effects +from adapters.smolagents.env_sanitize import ( + SafeLocalPythonExecutor, + _BANNED_IMPORTS, + _BASELINE_SAFE_IMPORTS, + _SAFE_ENV_ALLOWLIST, + make_safe_env, +) + + +# --------------------------------------------------------------------------- +# Helpers +# --------------------------------------------------------------------------- + + +class _MockInner: + """Captures the code string passed to it; returns a configurable result.""" + + def __init__(self, return_value: Any = None): + self.calls: list[str] = [] + self.return_value = return_value + + def __call__(self, code: str, *args: Any, **kwargs: Any) -> Any: + self.calls.append(code) + return self.return_value + + +# --------------------------------------------------------------------------- +# make_safe_env() — pure function tests (os.environ never mutated) +# --------------------------------------------------------------------------- + + +class TestMakeSafeEnv: + def test_strips_anthropic_api_key(self): + with patch.dict(os.environ, {"ANTHROPIC_API_KEY": "sk-ant-secret"}, clear=False): + result = make_safe_env() + assert "ANTHROPIC_API_KEY" not in result + + def test_strips_gh_token(self): + with patch.dict(os.environ, {"GH_TOKEN": "ghp_secret"}, clear=False): + result = make_safe_env() + assert "GH_TOKEN" not in result + + def test_strips_openai_api_key(self): + with patch.dict(os.environ, {"OPENAI_API_KEY": "sk-openai"}, clear=False): + result = make_safe_env() + assert "OPENAI_API_KEY" not in result + + def test_strips_database_url(self): + with patch.dict(os.environ, {"DATABASE_URL": "postgres://secret"}, clear=False): + result = make_safe_env() + assert "DATABASE_URL" not in result + + def test_strips_redis_url(self): + with patch.dict(os.environ, {"REDIS_URL": "redis://secret"}, clear=False): + result = make_safe_env() + assert "REDIS_URL" not in result + + def test_strips_aws_access_key(self): + with patch.dict(os.environ, {"AWS_ACCESS_KEY_ID": "AKIAIOSFODNN7EXAMPLE"}, clear=False): + result = make_safe_env() + assert "AWS_ACCESS_KEY_ID" not in result + + def test_strips_slack_token(self): + with patch.dict(os.environ, {"SLACK_BOT_TOKEN": "xoxb-secret"}, clear=False): + result = make_safe_env() + assert "SLACK_BOT_TOKEN" not in result + + def test_strips_generic_password(self): + with patch.dict(os.environ, {"DB_PASSWORD": "hunter2"}, clear=False): + result = make_safe_env() + assert "DB_PASSWORD" not in result + + def test_strips_generic_secret(self): + with patch.dict(os.environ, {"JWT_SECRET": "supersecret"}, clear=False): + result = make_safe_env() + assert "JWT_SECRET" not in result + + def test_passes_path(self): + with patch.dict(os.environ, {"PATH": "/usr/bin:/bin"}, clear=False): + result = make_safe_env() + assert result.get("PATH") == "/usr/bin:/bin" + + def test_passes_home(self): + with patch.dict(os.environ, {"HOME": "/root"}, clear=False): + result = make_safe_env() + assert result.get("HOME") == "/root" + + def test_passes_lang(self): + with patch.dict(os.environ, {"LANG": "en_US.UTF-8"}, clear=False): + result = make_safe_env() + assert result.get("LANG") == "en_US.UTF-8" + + def test_passes_pythonpath(self): + with patch.dict(os.environ, {"PYTHONPATH": "/app"}, clear=False): + result = make_safe_env() + assert result.get("PYTHONPATH") == "/app" + + def test_passes_workspace_id(self): + with patch.dict(os.environ, {"WORKSPACE_ID": "ws-123"}, clear=False): + result = make_safe_env() + assert result.get("WORKSPACE_ID") == "ws-123" + + def test_passes_workspace_name(self): + with patch.dict(os.environ, {"WORKSPACE_NAME": "my-agent"}, clear=False): + result = make_safe_env() + assert result.get("WORKSPACE_NAME") == "my-agent" + + def test_passes_platform_url(self): + with patch.dict(os.environ, {"PLATFORM_URL": "http://platform:8080"}, clear=False): + result = make_safe_env() + assert result.get("PLATFORM_URL") == "http://platform:8080" + + def test_does_not_mutate_os_environ(self): + """make_safe_env() must be a pure read — os.environ unchanged after call.""" + with patch.dict( + os.environ, + {"ANTHROPIC_API_KEY": "sk-ant-secret", "PATH": "/usr/bin"}, + clear=False, + ): + before = dict(os.environ) + make_safe_env() + after = dict(os.environ) + assert before == after + + def test_returns_dict(self): + result = make_safe_env() + assert isinstance(result, dict) + + def test_extra_allowed_via_parameter(self): + with patch.dict(os.environ, {"MY_SAFE_VAR": "value"}, clear=False): + result = make_safe_env(extra_allowed=["MY_SAFE_VAR"]) + assert result.get("MY_SAFE_VAR") == "value" + + def test_extra_allowed_via_env_var(self): + with patch.dict( + os.environ, + { + "SMOLAGENTS_ENV_EXTRA_ALLOWLIST": "REGION,CLUSTER_NAME", + "REGION": "us-east-1", + "CLUSTER_NAME": "prod", + "ANTHROPIC_API_KEY": "sk-ant-secret", + }, + clear=False, + ): + result = make_safe_env() + assert result.get("REGION") == "us-east-1" + assert result.get("CLUSTER_NAME") == "prod" + assert "ANTHROPIC_API_KEY" not in result + + def test_extra_allowed_env_var_is_case_normalized(self): + """Names in SMOLAGENTS_ENV_EXTRA_ALLOWLIST are uppercased automatically.""" + with patch.dict( + os.environ, + {"SMOLAGENTS_ENV_EXTRA_ALLOWLIST": "my_safe_var", "MY_SAFE_VAR": "hello"}, + clear=False, + ): + result = make_safe_env() + assert result.get("MY_SAFE_VAR") == "hello" + + +# --------------------------------------------------------------------------- +# SafeLocalPythonExecutor — allowlist enforcement during execution +# --------------------------------------------------------------------------- + + +class TestSafeLocalPythonExecutorAllowlist: + """Core security guarantee: secrets absent from os.environ during execution.""" + + def test_secret_absent_during_execution_anthropic(self): + """Injected ANTHROPIC_API_KEY must not be visible to executed code.""" + captured_env: dict = {} + + def _mock_inner(code: str, *args, **kwargs): + # Simulate what agent code would see via os.environ + captured_env.update(os.environ.copy()) + return "" + + executor = SafeLocalPythonExecutor(_inner=_mock_inner) + + with patch.dict(os.environ, {"ANTHROPIC_API_KEY": "sk-ant-secret"}, clear=False): + executor("import os; os.environ.get('ANTHROPIC_API_KEY', '')") + + assert "ANTHROPIC_API_KEY" not in captured_env + + def test_secret_absent_during_execution_gh_token(self): + captured_env: dict = {} + + def _mock_inner(code: str, *args, **kwargs): + captured_env.update(os.environ.copy()) + return "" + + executor = SafeLocalPythonExecutor(_inner=_mock_inner) + + with patch.dict(os.environ, {"GH_TOKEN": "ghp_secret"}, clear=False): + executor("import os; os.environ.get('GH_TOKEN', '')") + + assert "GH_TOKEN" not in captured_env + + def test_secret_absent_during_execution_database_url(self): + captured_env: dict = {} + + def _mock_inner(code: str, *args, **kwargs): + captured_env.update(os.environ.copy()) + return "" + + executor = SafeLocalPythonExecutor(_inner=_mock_inner) + + with patch.dict(os.environ, {"DATABASE_URL": "postgres://secret"}, clear=False): + executor("code") + + assert "DATABASE_URL" not in captured_env + + def test_secret_absent_during_execution_openai_key(self): + captured_env: dict = {} + + def _mock_inner(code: str, *args, **kwargs): + captured_env.update(os.environ.copy()) + + executor = SafeLocalPythonExecutor(_inner=_mock_inner) + + with patch.dict(os.environ, {"OPENAI_API_KEY": "sk-openai"}, clear=False): + executor("code") + + assert "OPENAI_API_KEY" not in captured_env + + def test_multiple_secrets_all_absent(self): + """All secrets must be stripped simultaneously, not just one.""" + captured_env: dict = {} + + def _mock_inner(code: str, *args, **kwargs): + captured_env.update(os.environ.copy()) + + executor = SafeLocalPythonExecutor(_inner=_mock_inner) + + secrets = { + "ANTHROPIC_API_KEY": "sk-ant", + "GH_TOKEN": "ghp_", + "OPENAI_API_KEY": "sk-open", + "DATABASE_URL": "postgres://", + "REDIS_URL": "redis://", + "SLACK_BOT_TOKEN": "xoxb-", + "JWT_SECRET": "secret", + "DB_PASSWORD": "pass", + } + + with patch.dict(os.environ, secrets, clear=False): + executor("code") + + for key in secrets: + assert key not in captured_env, f"{key!r} was visible during execution" + + def test_safe_vars_present_during_execution(self): + """Allowlisted variables must remain visible during execution.""" + captured_env: dict = {} + + def _mock_inner(code: str, *args, **kwargs): + captured_env.update(os.environ.copy()) + + executor = SafeLocalPythonExecutor(_inner=_mock_inner) + + with patch.dict( + os.environ, + { + "PATH": "/usr/bin:/bin", + "WORKSPACE_ID": "ws-abc", + "PYTHONPATH": "/app", + "ANTHROPIC_API_KEY": "sk-ant-secret", + }, + clear=False, + ): + executor("code") + + assert captured_env.get("PATH") == "/usr/bin:/bin" + assert captured_env.get("WORKSPACE_ID") == "ws-abc" + assert captured_env.get("PYTHONPATH") == "/app" + + def test_env_restored_after_execution(self): + """os.environ must be fully restored after __call__ returns.""" + executor = SafeLocalPythonExecutor(_inner=_MockInner()) + + with patch.dict( + os.environ, + {"ANTHROPIC_API_KEY": "sk-ant-secret", "PATH": "/usr/bin"}, + clear=False, + ): + env_before = dict(os.environ) + executor("code") + env_after = dict(os.environ) + + assert env_before == env_after + + def test_env_restored_after_exception(self): + """os.environ must be restored even if the inner executor raises.""" + + def _raises(code: str, *args, **kwargs): + raise RuntimeError("boom") + + executor = SafeLocalPythonExecutor(_inner=_raises) + + with patch.dict( + os.environ, + {"ANTHROPIC_API_KEY": "sk-ant-secret"}, + clear=False, + ): + env_before = dict(os.environ) + with pytest.raises(RuntimeError, match="boom"): + executor("code") + env_after = dict(os.environ) + + assert env_before == env_after + + def test_returns_inner_result(self): + mock_inner = _MockInner(return_value="hello world") + executor = SafeLocalPythonExecutor(_inner=mock_inner) + result = executor("some code") + assert result == "hello world" + + def test_passes_code_to_inner(self): + mock_inner = _MockInner() + executor = SafeLocalPythonExecutor(_inner=mock_inner) + executor("print('hi')") + assert mock_inner.calls == ["print('hi')"] + + +# --------------------------------------------------------------------------- +# SafeLocalPythonExecutor — import restrictions +# --------------------------------------------------------------------------- + + +class TestSafeLocalPythonExecutorImports: + def test_banned_imports_removed_from_authorized(self): + """Banned imports must not appear in the authorized list regardless of what caller passes.""" + executor = SafeLocalPythonExecutor( + additional_imports=["subprocess", "socket", "math"], + _inner=_MockInner(), + ) + for banned in _BANNED_IMPORTS: + assert banned not in executor._authorized_imports, ( + f"{banned!r} must not be in authorized imports" + ) + + def test_safe_imports_present(self): + executor = SafeLocalPythonExecutor(_inner=_MockInner()) + for safe in ["math", "json", "re", "datetime"]: + assert safe in executor._authorized_imports + + def test_additional_safe_import_added(self): + executor = SafeLocalPythonExecutor( + additional_imports=["numpy"], + _inner=_MockInner(), + ) + assert "numpy" in executor._authorized_imports + + def test_banned_list_coverage(self): + """Verify the built-in banned list covers expected attack vectors.""" + expected_banned = {"subprocess", "socket", "ctypes", "importlib", "importlib.util"} + assert expected_banned.issubset(_BANNED_IMPORTS) + + +# --------------------------------------------------------------------------- +# SafeLocalPythonExecutor — thread safety +# --------------------------------------------------------------------------- + + +class TestSafeLocalPythonExecutorThreadSafety: + def test_concurrent_calls_restore_env_correctly(self): + """Two concurrent executions must not corrupt each other's env view.""" + results: list[bool] = [] + errors: list[Exception] = [] + + def _run(secret_key: str, secret_value: str): + captured_env: dict = {} + + def _inner(code: str, *args, **kwargs): + captured_env.update(os.environ.copy()) + + executor = SafeLocalPythonExecutor(_inner=_inner) + try: + with patch.dict(os.environ, {secret_key: secret_value}, clear=False): + executor("code") + # Secret must not be visible during execution + results.append(secret_key not in captured_env) + except Exception as exc: + errors.append(exc) + + threads = [ + threading.Thread(target=_run, args=(f"SECRET_{i}", f"value_{i}")) + for i in range(10) + ] + for t in threads: + t.start() + for t in threads: + t.join() + + assert not errors, f"Threads raised: {errors}" + assert all(results), "Some threads saw a secret that should have been stripped" + + +# --------------------------------------------------------------------------- +# Allowlist contents +# --------------------------------------------------------------------------- + + +class TestAllowlistContents: + def test_core_vars_in_allowlist(self): + """Spot-check that expected safe vars are on the allowlist.""" + required = {"PATH", "HOME", "LANG", "PYTHONPATH", "WORKSPACE_ID", "WORKSPACE_NAME", "PLATFORM_URL"} + for var in required: + assert var in _SAFE_ENV_ALLOWLIST, f"{var!r} missing from _SAFE_ENV_ALLOWLIST" + + def test_secrets_not_in_allowlist(self): + """Known secret names must NOT appear on the allowlist.""" + forbidden = { + "ANTHROPIC_API_KEY", + "GH_TOKEN", + "GITHUB_TOKEN", + "OPENAI_API_KEY", + "DATABASE_URL", + "REDIS_URL", + "SLACK_BOT_TOKEN", + "JWT_SECRET", + "DB_PASSWORD", + "AWS_SECRET_ACCESS_KEY", + "AWS_ACCESS_KEY_ID", + } + for var in forbidden: + assert var not in _SAFE_ENV_ALLOWLIST, ( + f"{var!r} must NOT be in _SAFE_ENV_ALLOWLIST — it's a secret" + )