Files
crewAI/lib
Rip&Tear 3bce3cceed fix: never default the path allow-list to the filesystem root
_get_allowed_roots defaulted its primary root to os.getcwd(). In a
container started without a WORKDIR, cwd is "/", and since "/" is a
parent of every absolute path the deny-by-default allow-list then
permitted the entire filesystem -- silently disabling confinement and
re-opening arbitrary LLM-controlled file read/write (the exact hole this
PR closes).

Distinguish an implicitly defaulted primary root (base_dir is None ->
os.getcwd()) from operator-provided roots (base_dir, allowed_dirs,
CREWAI_TOOLS_ALLOWED_DIRS). When the implicit cwd default resolves to
os.sep it is dropped; an explicit "/" is still honored as a deliberate
opt-in. If no usable root remains, raise a clear ValueError instead of
allowing everything.

Addresses the corridor-security review finding on #6248.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-20 11:22:29 +08:00
..