GHSA-h2w2-v7j6-xqm4: praisonai: tool approval bypass executes denied actions

## Summary The published npm package `praisonai` exports `createAgentLoop()`, whose `onToolCall` callback is documented and exampled as an approval hook. The implementation calls PraisonAI's `generateText()` wrapper with the caller's executable tools first, receives `toolResults`, and only then calls `onToolCall()`. Because AI SDK `generateText()` executes tools with an `execute` function as part of the generation call, `onToolCall` can deny a tool only after the sensitive side effect has already happened. PraisonAI then returns `finishReason: "tool_rejected"`, which is a false security signal: the rejected tool already ran. The PoV is deterministic and local-only. It uses mock AI SDK modules, no live model call, no API key, and no network target. The tool increments an in-memory counter rather than touching the filesystem or executing commands. ## Technical Details In `src/praisonai-ts/src/ai/agent-loop.ts`, the public config says: ```ts /** On tool call callback (for approval) */ onToolCall?: (toolCall: ToolCallInfo) => Promise<boolean>; ``` The inline approval example also asks a user for approval and returns the decision: ```ts onToolCall: async (toolCall) => { const approved = await askUserForApproval(toolCall); return approved; } ``` However, `AgentLoop.step()` calls `generateText()` with the executable tools before invoking `onToolCall`: ```ts const result = await generateText({ model: this.config.model, messages: this.messages as any, tools: this.config.tools, maxSteps: 1, }); ``` It then materializes `toolResults`: ```ts toolResults: result.toolResults.map(tr => ({ toolCallId: tr.toolCallId, toolName: tr.toolName, result: tr.result, })), ``` Only afterward does the approval callback run: ```ts if (this.config.onToolCall) { for (const toolCall of step.toolCalls) { const approved = await this.config.onToolCall(toolCall); if (!approved) { this.complete = true; step.finishReason = 'tool_rejected'; break; } } } ``` `src/praisonai-ts/src/ai/generate-text.ts` forwards the caller's tools directly to AI SDK: ```ts const result = await sdk.generateText({ model, ... tools: options.tools, maxSteps: options.maxSteps, ... }); ``` AI SDK documents that `generateText()` "generates text and calls tools", and that tools with an `execute` function run automatically unless approval is handled before execution with `needsApproval`. The published `npm:praisonai@1.7.1` dist files preserve the same order: - `dist/ai/agent-loop.js` lines 150-157 call `generateText()` with executable tools. - lines 162-171 materialize `toolResults`. - lines 183-195 call `onToolCall()` and set `tool_rejected` afterward. ### Why This Is Not Intended Behavior This is not a trust-model-only issue. PraisonAI explicitly labels `onToolCall` as an approval callback and shows an approval example. A user who returns `false` from that callback expects the tool not to run. It also conflicts with the AI SDK execution model PraisonAI wraps: - AI SDK `generateText()` executes tools that include an `execute` function. - AI SDK approval is a pre-execution boundary (`needsApproval`), not a post-execution notification. - AI SDK loop control documentation treats "a tool call needs approval" as a condition that stops or pauses the loop before executing the tool. PraisonAI's current behavior instead creates a post-execution audit hook while naming and documenting it as approval. ## PoV Run from a local reproduction checkout: ```bash node poc/pov_poc.js 1.7.1 ``` Expected output includes: ```json { "praisonaiVersion": "1.7.1", "createAgentLoopExported": true, "eventOrder": ["tool-executed", "approval-denied"], "sideEffects": 1, "finishReason": "tool_rejected", "toolCallCount": 1, "toolResultCount": 1, "rejectedAfterExecution": true, "vulnerable": true, "patchedControl": { "order": ["approval-denied"], "sideEffects": 0, "toolCallCount": 1, "toolResultCount": 0, "blocksBeforeExecution": true } } ``` The PoV installs `npm:praisonai@1.7.1` into a temporary project and supplies mock `ai` and `@ai-sdk/openai` modules. The mocked `generateText()` returns one tool-call intent and executes a supplied `execute` handler if present. This keeps the proof deterministic and isolates PraisonAI's ordering bug. The vulnerable run uses `createAgentLoop()` with: - a `dangerousWrite` tool whose `execute()` handler increments an in-memory side-effect counter and records `tool-executed`; - an `onToolCall` approval callback that always returns `false` and records `approval-denied`. The observed order is: ```text tool-executed > approval-denied ``` That proves denial happens after execution. The `toolResults` array contains the tool's result even though PraisonAI reports `finishReason: "tool_rejected"`. The patched-control comparison strips executable handlers before the model step, requests approval on the tool-call intent, and only executes if approval succeeds. With the same denial decision, the control output is: ```text approval-denied sideEffects = 0 toolResultCount = 0 ``` ## PoC The PoV section above contains the local reproduction command, input, and decisive output. ## Impact Any application using npm PraisonAI `createAgentLoop()` with `onToolCall` as a human-in-the-loop or policy approval boundary can execute denied tools. If the application exposes the agent loop to lower-trust prompts or users and registers powerful tools, an attacker can cause the model to call a tool that the approval callback denies. The denial occurs too late. Depending on the registered tool, impact can include file modification, command execution, external API calls, data mutation, credential use, or other side effects with the privileges of the PraisonAI process. The report does not claim that npm PraisonAI exposes this as a default network service. It is a library-level approval-boundary bypass in the exported TypeScript agent-loop API. ### Severity Suggested severity: High. Rationale: - `AV`: common deployment pattern is an application exposing agent prompts over a network. - `AC`: attacker only needs to induce a tool call. - `PR`: conservative base score assumes the attacker can submit prompts to the application. - `UI`: no additional operator action is needed for the tool to execute before denial; even a denial callback is too late. - `S`: impact is in the PraisonAI-hosting application process. - `C/I/A`: depends on registered tools; shell/file/API tools can affect confidentiality, integrity, and availability. If maintainers score only local scripts that process untrusted repositories or prompts, `AV:L` may be reasonable. If they score public unauthenticated prompt endpoints built on this API, `PR:N` may be reasonable. ## Suggested Fix Do not pass executable tool handlers into `generateText()` before approval. One safe shape: 1. Convert configured tools into intent-only tool definitions without `execute`. 2. Call `generateText()` to obtain the model's tool-call intent. 3. Invoke `onToolCall(toolCall)` before any side effect. 4. Execute the selected tool only if approval returns true. 5. Append approved tool results to the conversation and continue the loop. Alternatively, if PraisonAI wants to delegate approval to AI SDK v6, translate `onToolCall` into per-tool `needsApproval` semantics so AI SDK pauses before calling `execute`. Regression tests should include: - `onToolCall` returns false and the tool `execute()` counter remains zero; - `onToolCall` returns true and the tool executes exactly once; - `tool_rejected` is never reported together with a tool result produced by the denied tool; - streaming and non-streaming loop variants use the same approval ordering if added later. ## Affected Package/Versions - Repository: `MervinPraison/PraisonAI` - Package: `npm:praisonai` - Component: TypeScript `AgentLoop` - Current head validated: `1ad58ca02975ff1398efeda694ea2ab78f20cf3e` - Current tag validated: `v4.6.58` - Latest npm package validated: `1.7.1` Suggested affected range: ```text npm:praisonai >= 1.4.0, <= 1.7.1 ``` Selected version sweep: - `1.0.0`: package main cannot be required in the selected test environment. - `1.2.0`: `createAgentLoop` is not exported. - `1.3.6`: `createAgentLoop` is not exported. - `1.4.0`: vulnerable. - `1.5.0`: vulnerable. - `1.5.4`: vulnerable. - `1.6.0`: vulnerable. - `1.7.0`: vulnerable. - `1.7.1`: vulnerable. ## Advisory History This is distinct from known and previously submitted PraisonAI issues: - `GHSA-ffp3-3562-8cv3` covers Python `praisonaiagents` approval cache keyed by tool name rather than invocation arguments. - `GHSA-qwgj-rrpj-75xm` covers Python Chainlit UI overriding configured approval mode with `auto`. - `GHSA-63v4-w882-g4x2` / poc covers Python `HTTPApproval` approval-page XSS. - poc covers npm TypeScript `AgentOS` missing authentication. - poc covers npm TypeScript `codeMode` sandbox escape. - poc covers npm TypeScript `MCPServer` missing authentication. No visible local or GitHub advisory covers npm TypeScript `AgentLoop.onToolCall` executing after tool results already exist.

An attacker with low-privileged prompt access to an application built on PraisonAI <= 1.7.1 submits a crafted message inducing the LLM to call a registered `writeFile` or shell tool. The operator's `onToolCall` callback is configured as a policy gate and returns `false` for unauthorized calls. However, the AI SDK's `generateText()` has already executed the tool's `execute()` handler before the callback fires — the file is written or command runs. PraisonAI returns `finishReason: 'tool_rejected'`, the application logs a blocked action, and the side effect persists undetected. In a multi-tenant scenario, this enables one user's prompt to trigger unauthorized actions under registered tool credentials with no visible trace in operator-facing logs.