feat(subagent):接入 CapabilityToken 与继承式权限隔离#326
Conversation
| if trimmed == "" { | ||
| return "" | ||
| } | ||
| return filepath.ToSlash(strings.ToLower(filepath.Clean(trimmed))) |
There was a problem hiding this comment.
normalizePathKey lowercases filesystem paths before authorization matching. On case-sensitive filesystems (Linux), this can broaden access (e.g. token allows /Workspace/Secret but /workspace/secret becomes equivalent in checks). Consider preserving case for path authorization keys and only normalizing separators/cleaning.
| } | ||
|
|
||
| normalized := token.Normalize() | ||
| taskID := strings.TrimSpace(action.Payload.TaskID) |
There was a problem hiding this comment.
Capability binding to action context is currently optional (task_id/agent_id only checked when action fields are non-empty). If a valid signed token is replayed with empty action TaskID/AgentID, cross-task/agent reuse is not blocked. For fail-closed isolation, require non-empty action TaskID and AgentID whenever CapabilityToken is present, then enforce exact match.
Codecov Report❌ Patch coverage is 📢 Thoughts on this report? Let us know! |
|
/code 解决review 补齐覆盖率 |
| } | ||
|
|
||
| // normalizePathKey 生成统一比较用路径键,屏蔽大小写与分隔符差异。 | ||
| func normalizePathKey(path string) string { |
There was a problem hiding this comment.
normalizePathKey lowercases all paths on every platform. On Linux/macOS (case-sensitive FS), this can treat distinct directories as equivalent and accidentally widen AllowedPaths matching (e.g. /Repo/Safe vs /repo/safe). Please keep case folding Windows-only (align with workspace.go's cleanedPathKey/samePathKey) to avoid capability path bypass.
| Arguments: []byte(input.Call.Arguments), | ||
| Workdir: input.Workdir, | ||
| SessionID: input.SessionID, | ||
| TaskID: input.TaskID, |
There was a problem hiding this comment.
TaskID / AgentID / CapabilityToken are now forwarded here, but the main runtime execution path (executeOneToolCall in internal/runtime/toolexec.go) still constructs permissionExecutionInput without populating these fields. In practice, capability binding/signature checks won’t run for normal tool execution flow. Please wire these values from runtime state/subagent context into that caller path.
| type permissionExecutionInput struct { | ||
| RunID string | ||
| SessionID string | ||
| TaskID string |
There was a problem hiding this comment.
permissionExecutionInput now carries TaskID/AgentID/Capability, but runtime call paths still create this struct without populating those fields (for example the normal tool execution path in executeOneToolCall). As a result, capability binding checks are effectively skipped in production flow because verifyCapabilityToken only compares task/agent when those action fields are non-empty. This makes the claimed runtime context propagation incomplete and weakens task/agent isolation guarantees.
| if trimmed == "" { | ||
| return "" | ||
| } | ||
| return filepath.ToSlash(strings.ToLower(filepath.Clean(trimmed))) |
There was a problem hiding this comment.
normalizePathKey lowercases all paths unconditionally. On case-sensitive filesystems (Linux), this can collapse distinct paths (e.g. /Workspace/A vs /workspace/a) and incorrectly treat an out-of-scope target as allowed. Path normalization should be OS-aware (only case-fold on Windows) to avoid privilege broadening.
| if trimmed == "" { | ||
| return "" | ||
| } | ||
| return filepath.ToSlash(strings.ToLower(filepath.Clean(trimmed))) |
There was a problem hiding this comment.
这里对路径做了全局 strings.ToLower。在大小写敏感文件系统(Linux/macOS 默认)上,会把不同真实路径折叠为同一个 key,可能导致 AllowedPaths 误命中并放大权限范围。建议仅在大小写不敏感平台做大小写归一化,或直接按平台语义比较 canonical path。
| Arguments: []byte(input.Call.Arguments), | ||
| Workdir: input.Workdir, | ||
| SessionID: input.SessionID, | ||
| TaskID: input.TaskID, |
There was a problem hiding this comment.
这里开始透传 TaskID/AgentID/CapabilityToken,但当前主链路调用点 internal/runtime/toolexec.go 构造 permissionExecutionInput 时并未填充这些字段。结果是正常工具执行路径下 capability 绑定/验签不会真正生效。建议在调用 executeToolCallWithPermission 时补齐上下文并加一条端到端回归测试覆盖该链路。
| } | ||
|
|
||
| normalized := token.Normalize() | ||
| taskID := strings.TrimSpace(action.Payload.TaskID) |
There was a problem hiding this comment.
task_id/agent_id 仅在 action 侧非空时才校验,属于“可选绑定”。这会留下重放窗口:若上游遗漏填充 action 上下文,已签名 token 仍可通过校验。建议对携带 capability 的请求强制要求 action 的 task_id 和 agent_id 非空且必须与 token 一致。
完成情况已按 review 点完成修复并补齐相关覆盖,代码已提交并推送到当前分支。 关键修复
测试补齐
验证结果
提交与推送
|
- make capability path normalization platform-aware - require non-empty task/agent binding when capability token is present - forward capability context through runtime tool execution path - add regression tests for security/tools/runtime Generated with [codeagent](https://github.com/qbox/codeagent) Co-authored-by: Cai-Tang-www <106404101+Cai-Tang-www@users.noreply.github.com>
fix(capability): close review gaps and coverage
|
/code 解决CI冲突 |
|
已处理 处理结果
说明
|
Generated with [codeagent](https://github.com/qbox/codeagent) Co-authored-by: Cai-Tang-www <106404101+Cai-Tang-www@users.noreply.github.com>
|
@xgopilot 解决下冲突 |
处理结果已检查并验证当前 PR 分支,未复现可合并冲突。
如果 GitHub 页面仍显示冲突,请贴出具体冲突文件或最新报错截图,我再按对应文件继续处理。 |
|
@xgopilot 该分支存在冲突,必须解决 internal/runtime/runtime.go |
处理结果已完成冲突修复并推送到当前 PR 分支。
另外按 fork 流程已创建跟踪 PR: |
…gration Generated with [codeagent](https://github.com/qbox/codeagent) Co-authored-by: Cai-Tang-www <106404101+Cai-Tang-www@users.noreply.github.com>
merge: resolve runtime conflict with main
|
/code 测试覆盖率提到95以上 |
Review Findings
Summary当前状态下,“覆盖率 95%+”目标尚未达成;需要继续补齐 |
|
/code 帮我补充测试,让覆盖率提到95以上 |
完成情况已补充并提交测试,重点覆盖 capability / manager permission / subagent worker 的未覆盖分支,改动已推送到当前 PR 分支。 本次补充
验证结果
提交与推送
|
Generated with [codeagent](https://github.com/qbox/codeagent) Co-authored-by: Cai-Tang-www <106404101+Cai-Tang-www@users.noreply.github.com>
test: boost coverage for capability and permission helpers
|
@xgopilot 仔细审查给定的 PR 代码变更,你的核心任务是寻找可能导致权限越权、沙盒逃逸、密码学安全漏洞以及 Go 并发/上下文陷阱的逻辑缺陷。不要在基础的拼写或常规语法上浪费过多精力,重点关注架构安全性。 Review Checkpoints (重点审查清单)请严格按照以下清单对代码进行交叉对比和逐行审查:
Output Format请以 Markdown 格式输出你的审查报告。要求直奔主题,结构如下:
如果你在上述清单中未发现问题,请在报告中明确回复“针对 [第 X 项],代码已通过审查,未发现问题”。 |
🛑 致命安全风险 (Blockers)
|
|
@xgopilot 帮我修复上述comment的问题,尤其是安全问题 |
|
已按“上述 comment(重点安全问题)”完成修复并推送到当前 PR 分支。 修复内容
测试补充
验证
提交与推送
未完成项:无。 |
Generated with [codeagent](https://github.com/qbox/codeagent) Co-authored-by: Cai-Tang-www <106404101+Cai-Tang-www@users.noreply.github.com>
fix(security): harden capability isolation checks
关联
本次改动
提交拆分
测试