Skip to content

fix: add consent gate and newline sanitization to cron tool#468

Merged
pgrayy merged 2 commits into
strands-agents:mainfrom
pgrayy:fix/cron-consent-gate-and-newline-injection
May 15, 2026
Merged

fix: add consent gate and newline sanitization to cron tool#468
pgrayy merged 2 commits into
strands-agents:mainfrom
pgrayy:fix/cron-consent-gate-and-newline-injection

Conversation

@pgrayy
Copy link
Copy Markdown
Member

@pgrayy pgrayy commented May 15, 2026
edited
Loading

Description

The cron tool writes LLM-supplied schedule, command, and raw entry strings directly into the user's crontab with no confirmation prompt and incomplete newline sanitization (only the description field is sanitized). This makes it possible for an agent to silently install persistent cron jobs, and for newline injection to smuggle hidden entries past any future consent prompt.

This PR adds:

  • A consent gate via BYPASS_TOOL_CONSENT (matching shell, editor, file_write, and other tools) through a shared _write_crontab function that all mutating paths must use.
  • Newline sanitization on composed cron lines via _sanitize_cron_line, preventing injection of hidden extra crontab entries through any input field.

Type of Change

Bug fix

Testing

  • All 27 unit tests pass (hatch test tests/test_cron.py)
  • Manual security validation script (save/test_cron_security.py) runs 8 tests against the real crontab, all pass
  • Parametrized injection tests cover all 7 input vectors (add schedule/command/description, raw command, edit schedule/command/description)

Checklist

  • I have read the CONTRIBUTING document
  • I have added any necessary tests that prove my fix is effective or my feature works
  • I have updated the documentation accordingly
  • I have added an appropriate example to the documentation to outline the feature
  • My changes generate no new warnings
  • Any dependent changes have been merged and published

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@pgrayy
fix: add consent gate and newline sanitization to cron tool
b3ca5e2 
The cron tool wrote LLM-supplied schedule, command, and raw entry
strings directly into the user's crontab with no confirmation prompt
and no newline sanitization (except on the description field).

This adds:
- A consent gate via BYPASS_TOOL_CONSENT (matching shell, editor,
  file_write, and other tools) through a shared _write_crontab function
  that all mutating paths must use.
- Newline sanitization on composed cron lines via _sanitize_cron_line,
  preventing injection of hidden extra crontab entries.
@pgrayy pgrayy temporarily deployed to auto-approve May 15, 2026 02:36 — with GitHub Actions Inactive
@pgrayy pgrayy temporarily deployed to auto-approve May 15, 2026 02:48 — with GitHub Actions Inactive
@pgrayy pgrayy merged commit dc5acc3 into strands-agents:main May 15, 2026
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zastrowm zastrowm zastrowm approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pgrayy @zastrowm