Skip to content

fix: resolve calculator RCE vulnerability and improve devcontainer reliability#160

Open
Chitranshu0 wants to merge 2 commits into
fetchai:mainfrom
Chitranshu0:fix-issue-5-security-rce
Open

fix: resolve calculator RCE vulnerability and improve devcontainer reliability#160
Chitranshu0 wants to merge 2 commits into
fetchai:mainfrom
Chitranshu0:fix-issue-5-security-rce

Conversation

@Chitranshu0

@Chitranshu0 Chitranshu0 commented Jun 20, 2026

Copy link
Copy Markdown

Summary

This PR addresses Issue #5 by removing an unsafe eval() usage in the Trip Planner calculator tool and improving the reliability of the Internet Computer devcontainer setup script.

Security Improvements

  • Replaced eval() with a safe AST-based evaluator
  • Restricted evaluation to approved mathematical operators, functions, and constants
  • Blocked arbitrary code execution attempts including imports, file access, subprocess execution, attribute traversal, and dynamic evaluation
  • Explicitly rejected boolean constants (True and False)
  • Added comprehensive security-focused test coverage

Devcontainer Improvements

  • Removed hardcoded workspace paths
  • Added dynamic workspace detection
  • Added validation for required dependencies (git, node, npm, dfx)
  • Improved error handling using set -euo pipefail
  • Added retry logic for transient installation failures
  • Improved portability across development environments

Type of Change

  • Bug fix

Checklist

  • I have starred this repository.
  • New community agents are under contributors/<agent-name>/ (not applicable)
  • I ran ruff check .
  • I ran ruff format .
  • I added/updated README.md for changed example(s) (not required)
  • I added .env.example if environment variables are required (not required)
  • I added demo image/GIF (not applicable)
  • I added agent profile link (not applicable)
  • I updated contributors/CHANGELOG.md or CHANGELOG.md (only if maintainers require it)
  • I added my agent to the Community Contributors table (not applicable)
  • I verified paths/commands used in docs.
  • I understand this PR requires maintainer review before merge.

Related Issue

Closes #5

Notes for Reviewers

Calculator Tool

  • Replaced unsafe eval() execution with a restricted AST-based evaluator.
  • Added validation to allow only approved mathematical operations.
  • Added tests covering valid expressions and malicious payloads.

Security Validation

The following payload categories were tested and rejected:

  • __import__
  • compile
  • exec
  • open
  • globals
  • locals
  • attribute traversal
  • boolean constants

Test Results

29 passed

Files Changed

  • Crewai-agents/trip_planner/tools/calculator_tools.py
  • Crewai-agents/trip_planner/tests/test_calculator_safety.py
  • web3/internet-computer/scripts/devcontainer-setup.sh

@github-actions github-actions Bot added gssoc26 GirlScript Summer of Code 2026 contribution level2 GSSoC level 2 - intermediate (medium points) labels Jun 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

gssoc26 GirlScript Summer of Code 2026 contribution level2 GSSoC level 2 - intermediate (medium points)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CRITICAL VULNERABILITIES FIXED AND VERIFIED

1 participant

@Chitranshu0