base path restriction for FileEditor #1421
Conversation
| executor = FileEditorExecutor(workspace_root=conv_state.workspace.working_dir) | ||
| executor = FileEditorExecutor( | ||
| workspace_root=conv_state.workspace.working_dir, | ||
| base_path=base_path or conv_state.workspace.working_dir, |
There was a problem hiding this comment.
If I understand correctly, base_path will always be set, is that right? Even though it's defined as an optional
There was a problem hiding this comment.
Yes, you're right. In this specific code path, base_path will always have
a value (either the provided one or workspace.working_dir as fallback).
However, I kept base_path as optional in FileEditorTool's signature because:
- Other callers might not always want to enforce a base_path restriction
- The feature is opt-in (base_path=None means no restriction)
- Backwards compatibility - existing code doesn't need to change
The fallback here ensures a sensible default for this specific use case
while keeping the tool flexible for other scenarios.
There was a problem hiding this comment.
Just to clarify, you're right we need to do this, to implement the restriction, but I do think you're right it should be optional too, though. The use case I have in mind is with the OpenHands-CLI, and I think it should be possible for the CLI user to enable or disable this.
This bit of code creates the executor... which I think all callers need? It's not clear to me if we have enough flexibility for the CLI to just say e.g. "--always-approve means yolo, we'll disable path enforcement"? Please correct me if I'm wrong! It's just a tiny question, nothing else, I'd like to understand this.
| workspace_root: Root directory that serves as the current working | ||
| directory for relative path suggestions. Must be an absolute path. | ||
| If None, no path suggestions will be provided for relative paths. | ||
| base_path: Base directory that restricts all file operations. When set, |
There was a problem hiding this comment.
Just a small question, is there a reason why this isn't workspace_root?
There was a problem hiding this comment.
Yeah, even I had the same hunch i.e. merging both of these parameters together...
but the original issue demanded a separate parameter and since this is my first contribution, decided to follow the proposed idea.
Let me know if this needs to change though...
There was a problem hiding this comment.
Got it, I think the issue is written with the help of the agent too, so who knows, we can take it as starting point, but change it freely if it makes sense.
I think maybe workspace root makes sense
xingyaoww
left a comment
xingyaoww
left a comment
There was a problem hiding this comment.
I actually have mixed feelings about this:
- We don't restrict bash, so technically the agent can go over this by using terminal command to modify files outside the cwd
- Also, i actually run into multiple cases where refering a file outside the cwd to the agent can be helpful (e.g., from another project)
Hence i'm not sure if we actually want to implement this restriction 🤔
|
Good point about bash @xingyaoww ! @madhur-tandon Frankly, that’s why I was asking about optional: to disable it on my machine. I’ve seen too many times the agent saying “I can’t use file editor, lemme make a python script and run it to replace stuff in file”, which it… does. 😅 I think this, restricting the agent access, is important for many users, but maybe we could think of a more fundamental solution (like sandboxing, which applications based on the SDK can already use). WDYT? |
4 participants
Summary of PR
base path restriction for FileEditor
Change Type
Checklist
Fixes
Resolves #240
Release Notes
FileEditorTool takes a base path parameter and forces all file paths to be relative to that base path. If a path doesn't have the base path as a prefix, it will be restricted from being edited.