fix(security): gate bare and mcp-qualified email names together; stop executing Markdown info strings

Review follow-up on #3681 (thanks @RaresKeY):

1. P1: execute_tool_block() checked disabled_tools / the turn ToolPolicy
   only against the incoming block name, then the bare-email branch
   qualified it to mcp__email__<name> and called the MCP manager. Plan
   mode and the MCP settings toggle write the QUALIFIED name into the
   denylist, so a bare fence like ```list_emails``` sailed past a
   mcp__email__list_emails entry. Both gates now match on both
   spellings (bare <-> mcp__email__-qualified), in either direction.

2. P2: the relaxed fence regex accepted arbitrary same-line text after
   a recognized tag, which made ordinary Markdown info strings
   executable: ```python title="example.py" ran as a python tool call.
   Same-line content now only counts as tool input when it starts with
   { or [ (JSON args); anything else leaves the fence as display text,
   and strip_tool_blocks mirrors that (the fence stays visible).

Tests: disabled-tools alias regression (qualified entry blocks bare
name and vice versa, never reaching the MCP manager), ToolPolicy alias
regression, python/bash title="..." non-execution + display retention,
and inline JSON-array args still parsing.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
botinate
2026-06-11 19:44:30 +02:00
parent 0bc57eb3f3
commit 9076be3add
4 changed files with 103 additions and 5 deletions
+28
View File
@@ -58,6 +58,27 @@ def test_hyphenated_tag_is_not_a_tool_call():
assert blocks == [], blocks
def test_markdown_info_string_is_not_executable_python():
# ```python title="example.py" is Markdown fence metadata, not tool args.
# Same-line content other than JSON args ({...}/[...]) must not execute —
# otherwise a fence the model meant to display runs as code.
blocks = parse_tool_blocks('```python title="example.py"\nprint("hi")\n```')
assert blocks == [], blocks
def test_markdown_info_string_is_not_executable_bash():
blocks = parse_tool_blocks('```bash title="setup"\necho hi\n```')
assert blocks == [], blocks
def test_inline_json_array_args_still_parse():
# The narrowed same-line rule must keep accepting JSON args: { or [.
blocks = parse_tool_blocks('```bulk_email {"action": "archive", "uids": [1, 2]}\n```')
assert [(b.tool_type, b.content) for b in blocks] == [
("bulk_email", '{"action": "archive", "uids": [1, 2]}')
]
def test_inline_args_fence_is_stripped_from_display():
# strip must mirror parse: an executed inline-args fence must not leak
# into the displayed text.
@@ -69,3 +90,10 @@ def test_python3_fence_is_left_intact_in_display():
# ...and a fence that did NOT parse as a tool call must stay visible.
text = 'Example:\n```python3\nprint("hi")\n```'
assert strip_tool_blocks(text) == text
def test_markdown_info_string_fence_is_left_intact_in_display():
# strip must mirror parse for info-string fences too: not executed,
# so not stripped from the displayed text.
text = 'Example:\n```python title="example.py"\nprint("hi")\n```'
assert strip_tool_blocks(text) == text