Dangerous commands (awk) in default bash allowlist enable code execution

[mickume]

Summary

The DEFAULT_ALLOWLIST in agent_fox/security/security.py:29-87 includes awk and sed, which support arbitrary code execution:

• awk '{system("id")}' — executes shell commands via awk's built-in system() function
• sed with the /e flag — evaluates replacement as a shell command

These commands would pass the current shell operator filter because the dangerous behavior is achieved through the tool's own syntax, not through shell operators.

Risk

Severity: Low — The LLM agent constructs the commands, and exploiting this would require an adversarial prompt to convince the agent to use awk's system() builtin or sed's /e flag. The shell operator filter blocks pipes and subshells, limiting but not eliminating the risk.

Category: Overprivileged Default (CWE-250)

Mitigation

Option A (preferred): Add system( to the dangerous-token blocklist:

_DANGEROUS_ARG_TOKENS = frozenset({"-exec", "-execdir"})
_DANGEROUS_CONTENT_PATTERNS = re.compile(r"system\s*\(")

def check_shell_operators(command_string: str) -> str | None:
    # ... existing checks ...
    if _DANGEROUS_CONTENT_PATTERNS.search(command_string):
        return "Command contains code execution pattern which can execute arbitrary commands."
    return None

Option B: Remove awk from the default allowlist entirely and require explicit opt-in via bash_allowlist_extend in config.

Verification

• Test: awk '{system("id")}' is blocked
• Test: awk '{print $1}' still passes (if Option A chosen)
• Confirm legitimate awk/sed usage patterns still work
• make check green