fix: restrict importlib provider loading to trusted namespaces (#7463)

2026-03-25 20:15:37 -07:00
parent b0477309d2
commit 8544314fa6
6 changed files with 102 additions and 3 deletions
--- a/README.md
+++ b/README.md
@@ -152,6 +152,12 @@ For more advanced multi-agent orchestrations and workflows, read

 Use AutoGen Studio to prototype and run multi-agent workflows without writing code.

+> **Caution**: AutoGen Studio is meant to help you rapidly prototype multi-agent workflows and
+> demonstrate an example of end user interfaces built with AutoGen. It is **not meant to be a
+> production-ready app**. Developers are encouraged to use the AutoGen framework to build their own
+> applications, implementing authentication, security and other features required for deployed
+> applications. See the [security note](https://microsoft.github.io/autogen/dev/user-guide/autogenstudio-user-guide/index.html#a-note-on-security) for more details.
+
 ```bash
 # Run AutoGen Studio on http://localhost:8080
 autogenstudio ui --port 8080 --appdir ./my-app
--- a/python/docs/src/user-guide/autogenstudio-user-guide/installation.md
+++ b/python/docs/src/user-guide/autogenstudio-user-guide/installation.md
@@ -7,6 +7,10 @@ myst:

 # Installation

+```{caution}
+AutoGen Studio is meant to help you rapidly prototype multi-agent workflows and demonstrate an example of end user interfaces built with AutoGen. It is not meant to be a production-ready app. Developers are encouraged to use the AutoGen framework to build their own applications, implementing authentication, security and other features required for deployed applications.
+```
+
 There are two ways to install AutoGen Studio - from PyPi or from source. We **recommend installing from PyPi** unless you plan to modify the source code.

 ## Create a Virtual Environment (Recommended)
--- a/python/packages/autogen-core/src/autogen_core/_component_config.py
+++ b/python/packages/autogen-core/src/autogen_core/_component_config.py
@@ -52,6 +52,34 @@ WELL_KNOWN_PROVIDERS = {
    "OllamaChatCompletionClient": "autogen_ext.models.ollama.OllamaChatCompletionClient",
 }

+_TRUSTED_PROVIDER_NAMESPACES: tuple[str, ...] = (
+    "autogen_core.",
+    "autogen_agentchat.",
+    "autogen_ext.",
+    "autogen_studio.",
+    "autogenstudio.",
+    "autogen_test_utils.",
+)
+
+
+def _get_trusted_namespaces() -> tuple[str, ...]:
+    """Return the set of trusted provider namespaces.
+
+    The default set covers all first-party AutoGen packages. Additional namespaces
+    can be added at runtime by setting the ``AUTOGEN_ALLOWED_PROVIDER_NAMESPACES``
+    environment variable to a comma-separated list of package prefixes
+    (e.g. ``mycompany_agents,mypackage``).
+    """
+    import os
+
+    extra = os.environ.get("AUTOGEN_ALLOWED_PROVIDER_NAMESPACES", "")
+    if extra:
+        extras = tuple(
+            ns.strip() if ns.strip().endswith(".") else ns.strip() + "." for ns in extra.split(",") if ns.strip()
+        )
+        return _TRUSTED_PROVIDER_NAMESPACES + extras
+    return _TRUSTED_PROVIDER_NAMESPACES
+

 class ComponentFromConfig(Generic[FromConfigT]):
    @classmethod
@@ -224,6 +252,23 @@ class ComponentLoader:
            raise ValueError("Invalid")

        module_path, class_name = output
+
+        trusted = _get_trusted_namespaces()
+        # Also allow test modules (pytest convention) to load components
+        module_name = module_path.rsplit(".", maxsplit=1)[-1]
+        is_test_module = module_name.startswith("test_") or module_path.startswith("test_")
+        if not is_test_module and not any(
+            module_path.startswith(ns) or module_path == ns.rstrip(".") for ns in trusted
+        ):
+            raise ValueError(
+                f"Provider module '{module_path}' is not in a trusted namespace. "
+                f"Allowed namespaces by default: autogen_core, autogen_agentchat, autogen_ext, "
+                f"autogen_studio, autogenstudio. "
+                f"To allow additional namespaces, set the AUTOGEN_ALLOWED_PROVIDER_NAMESPACES "
+                f"environment variable to a comma-separated list "
+                f"(e.g. AUTOGEN_ALLOWED_PROVIDER_NAMESPACES=mycompany_agents,mypackage)."
+            )
+
        module = importlib.import_module(module_path)
        component_class = module.__getattribute__(class_name)

--- a/python/packages/autogen-core/tests/test_component_config.py
+++ b/python/packages/autogen-core/tests/test_component_config.py
@@ -367,3 +367,19 @@ def test_component_descriptions() -> None:
    assert ComponentWithDocstring("test").dump_component().description == "A component using just docstring."
    assert ComponentWithDescription("test").dump_component().description == "Explicit description"
    assert ComponentWithDescription("test").dump_component().label == "Custom Component"
+
+
+def test_untrusted_provider_rejected() -> None:
+    """load_component must reject providers outside trusted namespaces."""
+    bad_model = ComponentModel(provider="os.path.join", config={})
+    with pytest.raises(ValueError, match="not in a trusted namespace"):
+        ComponentLoader.load_component(bad_model, object)  # type: ignore
+
+
+def test_trusted_provider_via_env_var(monkeypatch: pytest.MonkeyPatch) -> None:
+    """AUTOGEN_ALLOWED_PROVIDER_NAMESPACES extends the allowed namespace list."""
+    monkeypatch.setenv("AUTOGEN_ALLOWED_PROVIDER_NAMESPACES", "mycompany_agents")
+    from autogen_core._component_config import _get_trusted_namespaces  # type: ignore
+
+    namespaces = _get_trusted_namespaces()
+    assert "mycompany_agents." in namespaces
--- a/python/packages/autogen-ext/src/autogen_ext/agents/video_surfer/tools.py
+++ b/python/packages/autogen-ext/src/autogen_ext/agents/video_surfer/tools.py
@@ -16,10 +16,27 @@ def extract_audio(video_path: str, audio_output_path: str) -> str:
    """
    Extracts audio from a video file and saves it as an MP3 file.

-    :param video_path: Path to the video file.
-    :param audio_output_path: Path to save the extracted audio file.
+    :param video_path: Path to the video file (must be a local file path, not a URL).
+    :param audio_output_path: Path to save the extracted audio file (must end with .mp3).
    :return: Confirmation message with the path to the saved audio file.
    """
+    import os
+    import re
+
+    # Reject URLs to prevent SSRF via ffmpeg
+    if re.match(r"^[a-zA-Z][a-zA-Z0-9+\-.]*://", video_path):
+        raise ValueError("video_path must be a local file path, not a URL.")
+
+    # Enforce .mp3 extension to prevent writing arbitrary file types
+    if not audio_output_path.lower().endswith(".mp3"):
+        raise ValueError("audio_output_path must end with .mp3.")
+
+    # Prevent path traversal — output must stay within the current working directory
+    cwd = os.path.realpath(os.getcwd())
+    output_real = os.path.realpath(audio_output_path)
+    if not output_real.startswith(cwd + os.sep) and output_real != cwd:
+        raise ValueError("audio_output_path must be within the current working directory.")
+
    (ffmpeg.input(video_path).output(audio_output_path, format="mp3").run(quiet=True, overwrite_output=True))  # type: ignore
    return f"Audio extracted and saved to {audio_output_path}."

--- a/python/packages/autogen-studio/README.md
+++ b/python/packages/autogen-studio/README.md
@@ -9,8 +9,19 @@ AutoGen Studio is an AutoGen-powered AI app (user interface) to help you rapidly

 Code for AutoGen Studio is on GitHub at [microsoft/autogen](https://github.com/microsoft/autogen/tree/main/python/packages/autogen-studio)

+> [!CAUTION]
+> AutoGen Studio is meant to help you rapidly prototype multi-agent workflows and demonstrate an example of end user interfaces built with AutoGen. It is **not meant to be a production-ready app**. Developers are encouraged to use the [AutoGen framework](https://microsoft.github.io/autogen) to build their own applications, implementing authentication, security and other features required for deployed applications.
+
 > [!WARNING]
-> AutoGen Studio is under active development and is currently not meant to be a production-ready app. Expect breaking changes in upcoming releases. [Documentation](https://microsoft.github.io/autogen/docs/autogen-studio/getting-started) and the `README.md` might be outdated.
+> AutoGen Studio is under active development. Expect breaking changes in upcoming releases.
+
+## A Note on Security
+
+AutoGen Studio is a research prototype and is **not meant to be used** in a production environment. Some baseline practices are encouraged e.g., using Docker code execution environment for your agents.
+
+However, other considerations such as rigorous tests related to jailbreaking, ensuring LLMs only have access to the right keys of data given the end user's permissions, and other security features are not implemented in AutoGen Studio.
+
+If you are building a production application, please use the [AutoGen framework](https://microsoft.github.io/autogen) and implement the necessary security features.

 ## Updates