Skip to content

fix(workflow): validate workflow_id and confine workflow files to the workflow directory#521

Draft
yonib05 wants to merge 2 commits into
strands-agents:mainfrom
yonib05:fix/workflow-id-path-containment
Draft

fix(workflow): validate workflow_id and confine workflow files to the workflow directory#521
yonib05 wants to merge 2 commits into
strands-agents:mainfrom
yonib05:fix/workflow-id-path-containment

Conversation

@yonib05

@yonib05 yonib05 commented Jun 27, 2026

Copy link
Copy Markdown
Member

Description

The workflow tool uses workflow_id directly to build the workflow file name in WORKFLOW_DIR (WORKFLOW_DIR / f"{workflow_id}.json") across the load, store, and delete operations. The only existing check is if not workflow_id (which generates a UUID for empty create ids), so a workflow_id containing directory separators or relative segments points the read/write/delete at a file outside WORKFLOW_DIR.

This change adds two layers:

  1. Allowlist validation at the tool boundary: workflow_id must match ^[A-Za-z0-9._-]{1,128}$ and may not be . or ... Invalid ids return an error result. The id is validated after the create-time UUID fallback, so auto-generated ids still pass.
  2. A defense-in-depth helper, resolve_workflow_path, used by load_workflow, store_workflow, and delete_workflow. It resolves the target path and raises ValueError unless the result is inside the resolved WORKFLOW_DIR, so every filesystem operation stays confined regardless of how the id reaches it.

Related Issues

Type of Change

Bug fix

Testing

Added a TestWorkflowIdValidation suite covering the allowlist (accepted and rejected ids including ../../etc/passwd, ., .., separators, and overlong ids), the path resolver, and runtime confinement of all three sinks. Ran the workflow test module (54 passed) and ruff format --check / ruff check on the changed files.

  • I ran hatch run prepare

Checklist

  • I have added any necessary tests that prove my fix is effective
  • My changes generate no new warnings

… workflow directory

workflow_id is used directly to build the workflow file name in WORKFLOW_DIR
across the load, store, and delete operations. Add an allowlist check at the
tool boundary (1-128 characters limited to letters, digits, '.', '_' and '-',
rejecting "." and "..") and a defense-in-depth helper that resolves the target
path and confirms it stays inside WORKFLOW_DIR before any read, write, or
delete. Add regression tests covering the allowlist, the resolver, and each of
the three filesystem operations.
@yonib05 yonib05 marked this pull request as draft June 29, 2026 21:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant