Skip to content

sec(js): mount() API accepts arbitrary host paths without validation or warning #1169

Open
#1252
Open
sec(js): mount() API accepts arbitrary host paths without validation or warning#1169
#1252
@chaliy

Description

@chaliy
chaliy
opened on Apr 9, 2026

Summary

The Node.js bindings expose a `mount(hostPath, vfsPath, writable?)` method on both `Bash` and `BashTool` classes that accepts arbitrary host filesystem paths. There is no path validation, sandboxing, or warning when writable mounts are created. In AI agent applications, if the LLM can influence mount parameters (e.g., through prompt injection), it could gain access to sensitive host directories.

Threat category: TM-ESC (Sandbox Escape) — extends existing category
Severity: Medium
Component: `crates/bashkit-js/src/lib.rs`, `Bash::mount()` and `BashTool::mount()`

Root Cause

// crates/bashkit-js/src/lib.rs
pub fn mount(&self, host_path: String, vfs_path: String, writable: Option<bool>) -> napi::Result<()> {
    // No validation of host_path
    // No check against a allowlist of safe paths
    // No warning for writable mounts
    let mode = if writable.unwrap_or(false) {
        bashkit::RealFsMode::ReadWrite
    } else {
        bashkit::RealFsMode::ReadOnly
    };
    let real_backend = bashkit::RealFs::new(&host_path, mode)...
}

Similarly in the TypeScript wrapper, the `mounts` option in `BashOptions` directly passes host paths:

mounts?: Array<{ path: string; root: string; writable?: boolean }>;

Steps to Reproduce

import { Bash } from '@everruns/bashkit';

const bash = new Bash();

// Mount sensitive directories - no validation or warning
bash.mount('/', '/host', true);  // Full host access
bash.mount('/etc/shadow', '/shadow');  // Read shadow file
bash.mount(process.env.HOME + '/.ssh', '/ssh');  // Read SSH keys

const result = bash.executeSync('cat /ssh/id_rsa');
console.log(result.stdout);  // Private SSH key exposed

Impact

  • AI agent context: If an LLM can influence the `root` parameter of mount options (via prompt injection or tool argument manipulation), it could escape the VFS sandbox
  • Credential theft: Mounting `/.ssh`, `/.aws`, `~/.config` directories
  • Host compromise: Writable mounts allow modifying host files

Acceptance Criteria

  • Add optional mount path allowlist to `BashOptions` (e.g., `allowedMountPaths: string[]`)
  • Log a warning when writable mounts are created (both JS and Python bindings)
  • Document mount security implications prominently in README and API docs
  • Consider refusing to mount sensitive paths by default (`/etc`, `~/.ssh`, `/proc`, `/sys`)
  • Add same protections to Python bindings' mount API

Note

The Python bindings (`crates/bashkit-python/src/lib.rs`) have the same pattern with `mount()` and `RealMount` in constructor options.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions