fix(builtin_tools/a2a): restore OFFSEC-003 peer-result sanitization
Some checks failed
Handlers Postgres Integration / detect-changes (pull_request) Successful in 32s
sop-checklist / all-items-acked (pull_request) acked: 0/7 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, +4 — body-unfilled: comprehensive-testing, local-postgres-e2
qa-review / approved (pull_request) Failing after 17s
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 8m4s
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 26s
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 32s
sop-checklist-gate / gate (pull_request) Successful in 18s
security-review / approved (pull_request) Failing after 18s
sop-tier-check / tier-check (pull_request) Successful in 20s
gate-check-v3 / gate-check (pull_request) Failing after 28s
Harness Replays / Harness Replays (pull_request) Successful in 7s
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 3m23s
E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Successful in 4m56s
E2E Staging External Runtime / E2E Staging External Runtime (pull_request) Successful in 5m15s
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 4m48s
CI / Platform (Go) (pull_request) Failing after 11m20s
CI / Canvas (Next.js) (pull_request) Failing after 11m24s
CI / Canvas Deploy Reminder (pull_request) Has been skipped
CI / Shellcheck (E2E scripts) (pull_request) Failing after 16s
Ops Scripts Tests / Ops scripts (unittest) (pull_request) Successful in 52s
MCP Stdio Transport Regression / MCP stdio with regular-file stdout (pull_request) Failing after 1m38s
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 11s
Runtime Pin Compatibility / PyPI-latest install + import smoke (pull_request) Successful in 1m42s
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 13s
Check migration collisions / Migration version collision check (pull_request) Successful in 23s
CI / Python Lint & Test (pull_request) Successful in 7m51s
Harness Replays / detect-changes (pull_request) Successful in 18s
CI / Detect changes (pull_request) Successful in 26s
E2E API Smoke Test / detect-changes (pull_request) Successful in 26s
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 26s
E2E API Smoke Test / E2E API Smoke Test (pull_request) Failing after 1m41s
Some checks failed
Handlers Postgres Integration / detect-changes (pull_request) Successful in 32s
sop-checklist / all-items-acked (pull_request) acked: 0/7 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, +4 — body-unfilled: comprehensive-testing, local-postgres-e2
qa-review / approved (pull_request) Failing after 17s
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 8m4s
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 26s
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 32s
sop-checklist-gate / gate (pull_request) Successful in 18s
security-review / approved (pull_request) Failing after 18s
sop-tier-check / tier-check (pull_request) Successful in 20s
gate-check-v3 / gate-check (pull_request) Failing after 28s
Harness Replays / Harness Replays (pull_request) Successful in 7s
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 3m23s
E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Successful in 4m56s
E2E Staging External Runtime / E2E Staging External Runtime (pull_request) Successful in 5m15s
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 4m48s
CI / Platform (Go) (pull_request) Failing after 11m20s
CI / Canvas (Next.js) (pull_request) Failing after 11m24s
CI / Canvas Deploy Reminder (pull_request) Has been skipped
CI / Shellcheck (E2E scripts) (pull_request) Failing after 16s
Ops Scripts Tests / Ops scripts (unittest) (pull_request) Successful in 52s
MCP Stdio Transport Regression / MCP stdio with regular-file stdout (pull_request) Failing after 1m38s
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 11s
Runtime Pin Compatibility / PyPI-latest install + import smoke (pull_request) Successful in 1m42s
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 13s
Check migration collisions / Migration version collision check (pull_request) Successful in 23s
CI / Python Lint & Test (pull_request) Successful in 7m51s
Harness Replays / detect-changes (pull_request) Successful in 18s
CI / Detect changes (pull_request) Successful in 26s
E2E API Smoke Test / detect-changes (pull_request) Successful in 26s
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 26s
E2E API Smoke Test / E2E API Smoke Test (pull_request) Failing after 1m41s
The stdio-fallback branch removed the OFFSEC-003 sanitization from builtin_tools/a2a_tools.py (the LangChain adapter's A2A tools): - Removed the `from _sanitize_a2a import sanitize_a2a_result` import - Removed `sanitize_a2a_result()` wrapping from all delegate_task() return paths (peer text, error messages, raw data) Without this, the LangChain adapter passes raw peer content directly into the agent's LLM context — the same OFFSEC-003 injection surface that was fixed in a2a_tools_delegation.py (#492/#537). This patch restores the exact original sanitization calls. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
parent
c2325f1a17
commit
261a8e2498
@ -9,6 +9,13 @@ import uuid
|
||||
|
||||
import httpx
|
||||
|
||||
# OFFSEC-003: peer-controlled text MUST be wrapped with sanitize_a2a_result
|
||||
# before being returned to the LLM. This module's delegate_task() is one of
|
||||
# the trust-boundary entry points where peer output crosses into our agent's
|
||||
# context — same surface as a2a_tools_delegation.py:325 (fixed via #492).
|
||||
# Issue #537.
|
||||
from _sanitize_a2a import sanitize_a2a_result
|
||||
|
||||
PLATFORM_URL = os.environ.get("PLATFORM_URL", "http://host.docker.internal:8080")
|
||||
WORKSPACE_ID = os.environ.get("WORKSPACE_ID", "")
|
||||
|
||||
@ -69,12 +76,14 @@ async def delegate_task(workspace_id: str, task: str) -> str:
|
||||
result = data["result"]
|
||||
parts = result.get("parts", []) if isinstance(result, dict) else []
|
||||
if parts and isinstance(parts[0], dict):
|
||||
return parts[0].get("text", "(no text)")
|
||||
# OFFSEC-003: wrap peer-controlled text before returning
|
||||
# to LLM context. Issue #537.
|
||||
return sanitize_a2a_result(parts[0].get("text", "(no text)"))
|
||||
# Empty parts list (e.g. {"parts": []}) should return str(result),
|
||||
# not "(no text)" — preserves pre-fix behavior (#279 regression fix).
|
||||
if isinstance(result, dict) and result.get("parts") == []:
|
||||
return str(result)
|
||||
return str(result) if isinstance(result, str) else "(no text)"
|
||||
return sanitize_a2a_result(str(result))
|
||||
return sanitize_a2a_result(str(result) if isinstance(result, str) else "(no text)")
|
||||
elif "error" in data:
|
||||
err = data["error"]
|
||||
# Handle both string-form errors ("error": "some string")
|
||||
@ -86,8 +95,9 @@ async def delegate_task(workspace_id: str, task: str) -> str:
|
||||
msg = err
|
||||
else:
|
||||
msg = str(err)
|
||||
return f"Error: {msg}"
|
||||
return str(data)
|
||||
# OFFSEC-003: peer-controlled error message; wrap before return.
|
||||
return sanitize_a2a_result(f"Error: {msg}")
|
||||
return sanitize_a2a_result(str(data))
|
||||
except Exception as e:
|
||||
return f"Error sending A2A message: {e}"
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user