mirror of
https://github.com/pewdiepie-archdaemon/odysseus.git
synced 2026-07-11 12:27:13 +00:00
fix(security): gate bare and mcp-qualified email names together; stop executing Markdown info strings
Review follow-up on #3681 (thanks @RaresKeY): 1. P1: execute_tool_block() checked disabled_tools / the turn ToolPolicy only against the incoming block name, then the bare-email branch qualified it to mcp__email__<name> and called the MCP manager. Plan mode and the MCP settings toggle write the QUALIFIED name into the denylist, so a bare fence like ```list_emails``` sailed past a mcp__email__list_emails entry. Both gates now match on both spellings (bare <-> mcp__email__-qualified), in either direction. 2. P2: the relaxed fence regex accepted arbitrary same-line text after a recognized tag, which made ordinary Markdown info strings executable: ```python title="example.py" ran as a python tool call. Same-line content now only counts as tool input when it starts with { or [ (JSON args); anything else leaves the fence as display text, and strip_tool_blocks mirrors that (the fence stays visible). Tests: disabled-tools alias regression (qualified entry blocks bare name and vice versa, never reaching the MCP manager), ToolPolicy alias regression, python/bash title="..." non-execution + display retention, and inline JSON-array args still parsing. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
+15
-2
@@ -559,6 +559,19 @@ async def _execute_tool_block_impl(
|
||||
tool = block.tool_type
|
||||
content = block.content
|
||||
|
||||
# A bare email tool name is an alias for its MCP-qualified form (the
|
||||
# dispatch below routes it to mcp__email__<name>). Policy sources spell
|
||||
# email tools either way — plan mode and the MCP settings toggle write the
|
||||
# qualified name into the denylist, chat-level toggles the bare one — so
|
||||
# the block/disable gates below must match on BOTH spellings. Gating only
|
||||
# the name the model happened to emit lets a bare fence slip past a
|
||||
# qualified denylist entry (and vice versa).
|
||||
policy_names = {tool}
|
||||
if tool in BUILTIN_EMAIL_TOOLS:
|
||||
policy_names.add(f"mcp__email__{tool}")
|
||||
elif tool.startswith("mcp__email__") and tool[len("mcp__email__"):] in BUILTIN_EMAIL_TOOLS:
|
||||
policy_names.add(tool[len("mcp__email__"):])
|
||||
|
||||
# Misformatted tool call detection: model put JSON inside ```python``` (or
|
||||
# similar) without naming the tool. Common with MiniMax-style outputs.
|
||||
# Return a helpful error so the model retries with the correct format.
|
||||
@@ -586,13 +599,13 @@ async def _execute_tool_block_impl(
|
||||
pass
|
||||
|
||||
# Reject tools that the user has disabled for this request
|
||||
if disabled_tools and tool in disabled_tools:
|
||||
if disabled_tools and not policy_names.isdisjoint(disabled_tools):
|
||||
desc = f"{tool}: BLOCKED"
|
||||
result = {"error": f"Tool '{tool}' is disabled by user.", "exit_code": 1}
|
||||
logger.info(f"Tool blocked by user: {tool}")
|
||||
return desc, result
|
||||
|
||||
if tool_policy and tool_policy.blocks(tool):
|
||||
if tool_policy and any(tool_policy.blocks(name) for name in policy_names):
|
||||
desc = f"{tool}: BLOCKED"
|
||||
result = {
|
||||
"error": f"Execution of tool '{tool}' is forbade by the active guide-only policy.",
|
||||
|
||||
Reference in New Issue
Block a user