Skip to content

Pensar - auto fix for Unvalidated LLM-Generated Code Execution in Autonomous Workflow #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Pensar - auto fix for Unvalidated LLM-Generated Code Execution in Autonomous Workflow #12

wants to merge 1 commit into from

Conversation

pensarapp[bot]
Copy link

@pensarapp pensarapp bot commented Apr 1, 2025

Secured with Pensar

Type Identifier Message Severity Link
Application ML09, CWE-94, CWE-20 The workflow takes the output from the generate_code function and subsequently uses it to execute code in a Docker environment with run_locally. This behavior introduces a vulnerability corresponding to CWE ML09 (Manipulation of ML Model Outputs Affecting Integrity) because the LLM-generated outputs (including the dockerfile and files) are passed directly into a code execution environment without enforcing strict guardrails or sanitization. If an adversary manages to manipulate the input prompt or test conditions, they could drive the LLM to generate malicious code which would then be executed, potentially leading to unauthorized system modifications or container escapes. critical Link

The vulnerability (ML09/CWE-94/CWE-20) exists because the workflow directly executes LLM-generated code in a Docker environment without validating it first. If an attacker manipulates the inputs, they could trick the LLM into generating malicious code that would then be executed.

The patch adds a security validation layer that checks both the Dockerfile and generated files for potentially dangerous patterns before executing them. I've implemented a SecurityValidator class with methods to:

  1. Validate Dockerfile content for dangerous patterns like privileged mode, host network access, volume mounting, etc.
  2. Validate file content based on file type (Python, JavaScript, Shell) for risky operations like arbitrary command execution, dynamic code evaluation, etc.

The validation occurs at two critical points:

  • Before executing the run_locally function
  • When changes are made to files or the Dockerfile by the validate_output function

If security issues are detected, the workflow fails immediately with appropriate error logging, preventing the execution of potentially malicious code.

The patch imports the standard re module for pattern matching and typing for type hints, which are built-in Python modules that don't introduce external dependencies. The pattern-based approach balances security with maintainability and can be extended with additional patterns as needed.

This solution enforces proper guardrails around the LLM-generated outputs, addressing the core vulnerability while maintaining the original workflow functionality.

@restack-app Restack App
Copy link

restack-app bot commented Apr 1, 2025

No applications have been configured for previews targeting branch: master. To do so go to restack console and configure your applications for previews.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants