[New Advisory] Command Restriction Bypass via Python -c in agno CodingTools #7255
Description
Advisory Details
Package: agno (pip)
Repository: https://github.com/agno-agi/agno
CWE: CWE-78 (OS Command Injection)
Severity: Medium
Summary
CodingTools has "python" in its allowed commands list. An attacker can use python -c "import os; os.system(cmd)" to bypass all command restriction checks and execute arbitrary system commands.
Details
The CodingTools class maintains an allowlist of permitted commands. Since "python" is in this list, and the restriction check only validates the base command name, passing -c flag with arbitrary Python code bypasses all restrictions. The Python -c flag allows executing any Python code including os.system(), subprocess.run(), and other shell execution functions.
PoC
- Configure CodingTools with default settings (python in allowed commands)
- Execute:
python -c "import os; os.system('id; cat /etc/passwd')" - The command passes the allowlist check (base command is "python") and executes arbitrary system commands
Impact
Command restriction bypass leading to arbitrary command execution. Any user or AI agent that can invoke CodingTools can escape the intended sandbox.