agent-threat-rules 2.2.1 → 3.0.5

package/rules/privilege-escalation/ATR-2026-00546-crewai-json-loader-local-file-read.yaml

@@ -0,0 +1,162 @@
+title: "CrewAI JSON Loader Arbitrary Local File Read (CVE-2026-2285)"
+id: ATR-2026-00546
+rule_version: 1
+status: draft
+description: >
+  Detects CVE-2026-2285 (CVSS HIGH, CWE-22): CrewAI's JSON document loader
+  accepts a file path without sanitisation, allowing an agent or tool input
+  to traverse outside the intended data directory and read arbitrary local
+  files (e.g., /etc/passwd, ~/.ssh/id_rsa, .env secrets) by supplying a
+  path-traversal sequence in the loader argument.
+
+  The vulnerability is part of the CERT/CC VU#221883 advisory cluster
+  (four CrewAI CVEs, 2026-03-30). The JSON loader is invoked when CrewAI
+  processes RAG documents; a crafted document path causes the loader to
+  return the contents of an attacker-specified file, which the agent then
+  includes in its context and may exfiltrate via subsequent tool calls.
+
+  Detection covers:
+  (a) Path-traversal sequences in JSON loader file path arguments;
+  (b) Absolute paths to sensitive files (e.g., /etc/passwd, .env, .ssh);
+  (c) CrewAI document loader with directory traversal or sensitive-file targets;
+  (d) Explicit CVE-2026-2285 / CrewAI JSON loader file-read framing.
+author: "ATR Community"
+date: "2026/05/28"
+schema_version: "0.1"
+detection_tier: pattern
+maturity: draft
+severity: high
+
+references:
+  owasp_llm:
+    - "LLM06:2025 - Excessive Agency"
+    - "LLM05:2025 - Improper Output Handling"
+  owasp_agentic:
+    - "ASI03:2026 - Data Exfiltration"
+  mitre_atlas:
+    - "AML.T0043 - Craft Adversarial Data"
+  mitre_attack:
+    - "T1083 - File and Directory Discovery"
+    - "T1552 - Unsecured Credentials"
+  cve:
+    - "CVE-2026-2285"
+
+metadata_provenance:
+  mitre_atlas: human-reviewed
+  owasp_llm: human-reviewed
+  owasp_agentic: human-reviewed
+
+compliance:
+  eu_ai_act:
+    - article: "15"
+      context: >
+        CVE-2026-2285 allows arbitrary local file read via the CrewAI JSON
+        loader without path sanitisation; Article 15 cybersecurity requirements
+        mandate that AI agent document loaders canonicalise paths and restrict
+        access to the intended data directory.
+      strength: primary
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: >
+        Path traversal in a document loader argument enabling sensitive file
+        read constitutes an adversarial input; MP.5.1 requires scanning
+        document loader path arguments for traversal sequences.
+      strength: primary
+  iso_42001:
+    - clause: "8.6"
+      context: >
+        Operational controls must detect and block document loader invocations
+        with path traversal sequences targeting sensitive files outside the
+        intended data scope.
+      strength: primary
+
+tags:
+  category: privilege-escalation
+  subcategory: path-traversal-file-read
+  scan_target: both
+  confidence: high
+  source: cve-disclosure
+  vendor_sources: crewai-vu221883
+
+agent_source:
+  type: llm_io
+  framework:
+    - crewai
+    - any
+  provider:
+    - any
+
+detection:
+  condition: any
+  false_positives:
+    - "Legitimate document loaders referencing known-good data directories — pattern requires traversal or sensitive-file targets."
+    - "Security advisory text quoting CVE-2026-2285 file paths."
+    - "References to /etc/ in system administration documentation without traversal context."
+  conditions:
+    - field: content
+      operator: regex
+      value: '(?i)(?:json[_-]?loader|load[_-]?json|JSONLoader|document[_-]?loader)[^\n]{0,200}(?:(?:\.\.\/|\.\.\\){2,}|(?:\/etc\/(?:passwd|shadow|hosts)|\/root\/|\/home\/[^/]+\/\.ssh|\.env|\.aws\/credentials|\.npmrc|id_rsa))'
+      description: >
+        JSON/document loader invocation with either a path-traversal sequence
+        (2+ levels up) or a known sensitive-file target — CVE-2026-2285
+        local file read via CrewAI document loader
+
+    - field: content
+      operator: regex
+      value: '(?i)(?:crewai|crew_ai|CrewAI)[^\n]{0,200}(?:json[_-]?loader|load[_-]?json|document[_-]?loader)[^\n]{0,200}(?:\.\.\/|\/etc\/|\.env|\.ssh|id_rsa|credentials)'
+      description: >
+        CrewAI combined with a document/JSON loader and a sensitive path
+        or traversal sequence — attack framing specific to CVE-2026-2285
+
+    - field: content
+      operator: regex
+      value: '(?i)(?:CVE-2026-2285|crewai[^\n]{0,80}(?:file[_\s-]?read|local[_\s-]?file|json[_\s-]?loader))[^\n]{0,200}(?:inject|read|exfil|bypass|traverse|sensitive|passwd|\.env|\.ssh)'
+      description: >
+        Explicit CVE-2026-2285 reference or CrewAI file-read framing combined
+        with exploitation language or sensitive file targets
+
+response:
+  actions:
+    - alert
+    - block_tool
+  message_template: >
+    [ATR-2026-00546] HIGH: CrewAI JSON loader with path traversal or
+    sensitive-file target detected (CVE-2026-2285, CWE-22). The CrewAI JSON
+    loader does not sanitise document paths, allowing traversal to read
+    arbitrary local files (/etc/passwd, .env, SSH keys). Block this loader
+    call; canonicalise document paths and restrict loader access to the
+    intended data directory. Part of VU#221883 advisory cluster — upgrade
+    CrewAI to the patched version.
+
+confidence: 80
+
+wild_fp_rate: 0
+
+test_cases:
+  true_positives:
+    - input: "JSONLoader('../../../../etc/passwd')"
+      expected: triggered
+      description: "JSON loader with path traversal to /etc/passwd"
+    - input: "document_loader path: ../../../.env"
+      expected: triggered
+      description: "Document loader with traversal to .env secrets file"
+    - input: "crewai json_loader ../../.ssh/id_rsa exfil CVE-2026-2285"
+      expected: triggered
+      description: "CrewAI JSON loader + SSH key + CVE reference"
+    - input: "JSONLoader('/root/.aws/credentials')"
+      expected: triggered
+      description: "JSON loader with absolute path to AWS credentials"
+    - input: "CVE-2026-2285: CrewAI JSON loader reads /etc/passwd via unsanitised path"
+      expected: triggered
+      description: "CVE-2026-2285 exploitation framing with sensitive file target"
+
+  true_negatives:
+    - input: "JSONLoader('/data/documents/report.json')"
+      expected: not_triggered
+      description: "Legitimate JSON loader with a safe absolute data path"
+    - input: "crewai loads documents from the /tmp/uploads/ directory"
+      expected: not_triggered
+      description: "Normal CrewAI document directory reference — no traversal"
+    - input: "Upgrade CrewAI to fix CVE-2026-2285"
+      expected: not_triggered
+      description: "Mitigation advisory without exploit content"

package/rules/privilege-escalation/ATR-2026-00547-crewai-rag-url-ssrf-bypass.yaml

@@ -0,0 +1,167 @@
+title: "CrewAI RAG URL Validation Bypass SSRF (CVE-2026-2286)"
+id: ATR-2026-00547
+rule_version: 1
+status: draft
+description: >
+  Detects CVE-2026-2286 (CVSS HIGH, CWE-918): CrewAI's RAG (retrieval-augmented
+  generation) URL validator can be bypassed by URL encoding, mixed-case,
+  or alternative representations (decimal IP, hex IP, IPv6 loopback, DNS
+  rebinding shapes) to perform server-side request forgery against internal
+  services on the CrewAI host network.
+
+  The vulnerability is part of the CERT/CC VU#221883 advisory cluster
+  (four CrewAI CVEs, 2026-03-30). An agent or tool input that passes a
+  crafted RAG source URL causes CrewAI to make internal HTTP requests to
+  metadata services (e.g., AWS IMDS 169.254.169.254), internal APIs, or
+  services on private RFC-1918 ranges — enabling cloud credential theft,
+  internal service enumeration, or lateral movement.
+
+  Detection covers:
+  (a) RAG source URLs containing SSRF bypass representations of loopback /
+      link-local / private IP ranges;
+  (b) URL-encoded, hex, octal, or decimal IP representations of internal
+      addresses in RAG contexts;
+  (c) CrewAI RAG with cloud metadata endpoint patterns (169.254.169.254);
+  (d) Explicit CVE-2026-2286 / CrewAI SSRF framing.
+author: "ATR Community"
+date: "2026/05/28"
+schema_version: "0.1"
+detection_tier: pattern
+maturity: draft
+severity: high
+
+references:
+  owasp_llm:
+    - "LLM06:2025 - Excessive Agency"
+  owasp_agentic:
+    - "ASI03:2026 - Data Exfiltration"
+    - "ASI05:2026 - Unexpected Code Execution"
+  mitre_atlas:
+    - "AML.T0043 - Craft Adversarial Data"
+  mitre_attack:
+    - "T1090 - Proxy"
+    - "T1552.005 - Cloud Instance Metadata API"
+  cve:
+    - "CVE-2026-2286"
+
+metadata_provenance:
+  mitre_atlas: human-reviewed
+  owasp_llm: human-reviewed
+  owasp_agentic: human-reviewed
+
+compliance:
+  eu_ai_act:
+    - article: "15"
+      context: >
+        CVE-2026-2286 allows bypassing CrewAI RAG URL validation to perform
+        SSRF against internal services and cloud metadata APIs; Article 15
+        cybersecurity requirements mandate robust URL validation that blocks
+        all representations of internal addresses.
+      strength: primary
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: >
+        SSRF bypass via crafted RAG URLs targeting cloud metadata or internal
+        services constitutes an adversarial input; MP.5.1 requires scanning
+        RAG source URLs for SSRF bypass patterns.
+      strength: primary
+  iso_42001:
+    - clause: "8.6"
+      context: >
+        Operational controls must detect and block RAG URL inputs containing
+        SSRF bypass representations of internal or link-local addresses.
+      strength: primary
+
+tags:
+  category: privilege-escalation
+  subcategory: ssrf-rag-url-bypass
+  scan_target: both
+  confidence: high
+  source: cve-disclosure
+  vendor_sources: crewai-vu221883
+
+agent_source:
+  type: llm_io
+  framework:
+    - crewai
+    - any
+  provider:
+    - any
+
+detection:
+  condition: any
+  false_positives:
+    - "Security research tools probing SSRF bypass patterns for testing — rule fires by design."
+    - "Security advisory text quoting CVE-2026-2286 SSRF payloads."
+    - "Legitimate document URLs that contain the string '169' or '127' in path components — evaluate context."
+  conditions:
+    - field: content
+      operator: regex
+      value: '(?i)(?:rag|retrieval[_-]?augmented|source[_-]?url|document[_-]?url)[^\n]{0,200}(?:169\.254\.169\.254|fd00:|2130706433|0x7f000001|0177\.0\.0\.1|localhost|127\.0\.[01]\.[01]|::1|0\.0\.0\.0|[a-z0-9-]+\.internal\.|10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|172\.(?:1[6-9]|2\d|3[01])\.\d{1,3}\.\d{1,3})'
+      description: >
+        RAG source URL containing cloud metadata endpoint (169.254.169.254),
+        decimal/hex/octal loopback representations, IPv6 loopback, or private
+        RFC-1918 address ranges — SSRF bypass attempt via CVE-2026-2286
+
+    - field: content
+      operator: regex
+      value: '(?i)(?:rag|retrieval[_-]?augmented|source[_-]?url|document[_-]?url)[^\n]{0,200}(?:%31%36%39|%31%32%37|\\u0031|%2e%2e|\\x31\\x36\\x39|0x[aAbBcC][0-9a-fA-F]{6})'
+      description: >
+        RAG URL with URL-encoded, Unicode-escaped, or hex representations
+        of SSRF-relevant IP octets — URL encoding bypass pattern
+
+    - field: content
+      operator: regex
+      value: '(?i)(?:CVE-2026-2286|crewai[^\n]{0,80}(?:ssrf|rag[_\s-]?url|url[_\s-]?bypass|metadata))[^\n]{0,200}(?:inject|bypass|exfil|metadata|169\.254|internal|private[_\s-]?ip)'
+      description: >
+        Explicit CVE-2026-2286 reference or CrewAI SSRF framing combined
+        with exploitation language or internal IP patterns
+
+response:
+  actions:
+    - alert
+    - block_tool
+  message_template: >
+    [ATR-2026-00547] HIGH: CrewAI RAG URL with SSRF bypass pattern detected
+    (CVE-2026-2286, CWE-918). CrewAI's RAG URL validator can be bypassed
+    by encoded or alternative representations of internal/metadata addresses,
+    enabling SSRF against cloud metadata services (169.254.169.254) or
+    internal APIs. Block this URL; enforce a server-side URL allowlist that
+    resolves to canonical form before validation. Part of VU#221883 —
+    upgrade CrewAI to the patched version.
+
+confidence: 82
+
+wild_fp_rate: 0
+
+test_cases:
+  true_positives:
+    - input: "rag_source_url: http://169.254.169.254/latest/meta-data/iam/security-credentials/"
+      expected: triggered
+      description: "RAG URL targeting AWS IMDS cloud metadata endpoint"
+    - input: "document_url=http://127.0.0.1:8080/internal-api/admin"
+      expected: triggered
+      description: "RAG URL targeting localhost internal API"
+    - input: "source_url: http://2130706433/  # decimal representation of 127.0.0.1"
+      expected: triggered
+      description: "Decimal IP SSRF bypass for loopback"
+    - input: "rag url http://0x7f000001/ bypass CVE-2026-2286"
+      expected: triggered
+      description: "Hex IP SSRF bypass with CVE reference"
+    - input: "CVE-2026-2286: CrewAI RAG URL validation bypass allows SSRF via encoded internal addresses"
+      expected: triggered
+      description: "CVE-2026-2286 exploitation framing"
+    - input: "retrieval_augmented url: http://192.168.1.1/router/config"
+      expected: triggered
+      description: "RAG URL targeting RFC-1918 private network address"
+
+  true_negatives:
+    - input: "rag_source_url: https://docs.example.com/api-reference.json"
+      expected: not_triggered
+      description: "Legitimate RAG URL with external public domain"
+    - input: "crewai retrieves documents from https://arxiv.org/abs/2312.12345"
+      expected: not_triggered
+      description: "Normal CrewAI RAG with public research paper URL"
+    - input: "Upgrade CrewAI to fix CVE-2026-2286"
+      expected: not_triggered
+      description: "Mitigation advisory without exploit content"

package/rules/privilege-escalation/ATR-2026-00549-destructive-tool-without-human-approval.yaml

@@ -0,0 +1,193 @@
+title: "Destructive tool invocation without prior human approval"
+id: ATR-2026-00549
+rule_version: 1
+status: draft
+description: >
+  Detects a destructive tool call in an agent execution trace that is NOT
+  preceded by an explicit human-approval span. This is a trace-method rule
+  using the `require` primitive (spec/atr-method-v1.1.md §8.3.2), which
+  fires when an expected predecessor is MISSING — the canonical mechanism
+  for catching silent failures.
+
+  Threat model: many agent frameworks let operators classify tool calls by
+  privilege (read / write / destructive). Production policy says destructive
+  calls (e.g., file deletion, transaction commit, schema migration) MUST be
+  gated by a human-in-the-loop approval. In practice, prompt-injection
+  attacks or runaway agents bypass this gate by inducing the LLM to issue
+  a destructive call directly without surfacing it for approval. The trace
+  emits the destructive TOOL span without an AGENT span carrying
+  attributes.human_approval=true at any earlier point in the same trace.
+
+  No error is thrown. The action succeeds. The trace looks "normal" if you
+  only inspect tool inputs/outputs. The rule fires by detecting the
+  absence of the required predecessor — the trace-method capability that
+  pattern-based detection cannot express.
+author: "ATR Community"
+date: "2026/05/28"
+schema_version: "1.0"
+maturity: draft
+severity: critical
+
+references:
+  owasp_agentic:
+    - "ASI04:2026 - Unauthorized Resource Access"
+    - "ASI05:2026 - Unexpected Code Execution"
+  owasp_llm:
+    - "LLM06:2025 - Excessive Agency"
+  mitre_atlas:
+    - "AML.T0053 - LLM Plugin Compromise"
+  research:
+    - "TraceAegis: Behavioral Constraints over Agent Execution Traces (arXiv:2510.11203)"
+    - "AgentArmor: Type-System for Agent Trace Analysis (arXiv:2508.01249)"
+    - "Anthropic Computer Use threat model (Build 2024)"
+
+compliance:
+  nist_csf:
+    - "PR.AC-04"
+    - "PR.IR-01"
+  etsi_ts_104223:
+    - "P5.2"
+  eu_ai_act:
+    - article: "14"
+      context: >
+        Human oversight — destructive actions must be subject to human
+        review per Article 14. Trace evidence of skipped approval is a
+        direct violation.
+      strength: primary
+  nist_ai_rmf:
+    - subcategory: "MG.4.1"
+      context: >
+        Risk management governance — destructive autonomous actions
+        without approval are unmitigated risks; trace evidence is
+        normative for assessment.
+      strength: primary
+
+tags:
+  category: privilege-escalation
+  subcategory: missing-human-approval
+  scan_target: runtime
+  confidence: high
+  source: trace-rule
+
+agent_source:
+  type: agent_trace
+  framework:
+    - any
+  provider:
+    - any
+
+detection:
+  method: trace
+  condition: any
+  conditions:
+    - field: trace.require_violation
+      operator: regex
+      value: "(?i)require_violation:destructive_tool_without_approval"
+      description: >
+        Engine emits this synthetic field when the require primitive
+        fires; trace-native engines evaluate detection.trace below.
+  trace:
+    ingest_format: openinference
+    require:
+      - target_shape:
+          span.kind: "TOOL"
+          attributes:
+            tool.privilege: "destructive"
+        must_be_preceded_by:
+          # Match any of the canonical approval signals. Frameworks vary:
+          # LangChain HITL emits span.kind: "HUMAN"; AutoGen sets
+          # attributes.human_approval=true on AGENT spans; some emit
+          # attributes.operator_approved or attributes.confirmed_by_user.
+          # An approval is recognized if EITHER the span kind is HUMAN OR
+          # any of the canonical approval attributes is truthy.
+          one_of_shapes:
+            - span.kind: "HUMAN"
+            - span.kind: "AGENT"
+              attributes:
+                human_approval: true
+            - span.kind: "AGENT"
+              attributes:
+                operator_approved: true
+            - span.kind: "AGENT"
+              attributes:
+                approval_granted: true
+            - span.kind: "AGENT"
+              attributes:
+                confirmed_by_user: true
+          within_trace: true
+        description: >
+          Every destructive TOOL span MUST have at least one preceding
+          approval span anywhere earlier in the same trace. Recognized
+          forms: dedicated HUMAN span kind (OpenInference), or AGENT
+          span carrying any canonical approval attribute. The
+          `one_of_shapes` matcher is normative per atr-method-v1.1.md
+          §8.3 (extends `must_be_preceded_by` to accept a disjunction).
+
+response:
+  actions:
+    - block_tool
+    - alert
+    - escalate
+  message_template: >
+    [ATR-2026-00549] CRITICAL: Destructive tool call without human approval
+    detected. Tool {{trace.matched_span.attributes.tool.name}} ran at span
+    {{trace.matched_span.id}} with privilege=destructive but no preceding
+    AGENT span carried human_approval=true. Block this tool call, require
+    operator review, and audit policy on the calling agent.
+
+confidence: 90
+
+wild_fp_rate: 0
+
+test_cases:
+  true_positives:
+    - input: |
+        {"spans":[{"id":"a1","kind":"AGENT","attributes":{"agent.name":"orchestrator"}},{"id":"t1","kind":"TOOL","attributes":{"tool.name":"db.drop_table","tool.privilege":"destructive"}}]}
+      expected: triggered
+      description: "Destructive tool runs without any preceding human approval"
+    - input: |
+        {"spans":[{"id":"a1","kind":"AGENT","attributes":{"agent.name":"orchestrator","human_approval":false}},{"id":"t1","kind":"TOOL","attributes":{"tool.name":"file.delete","tool.privilege":"destructive"}}]}
+      expected: triggered
+      description: "AGENT span explicitly sets human_approval=false; destructive tool follows"
+    - input: |
+        {"spans":[{"id":"r1","kind":"RETRIEVER","attributes":{"source":"untrusted"}},{"id":"t1","kind":"TOOL","attributes":{"tool.name":"git.force_push","tool.privilege":"destructive"}}]}
+      expected: triggered
+      description: "Destructive tool preceded only by untrusted retrieval (no approval span)"
+    - input: |
+        {"spans":[{"id":"a1","kind":"AGENT","attributes":{"agent.name":"planner"}},{"id":"a2","kind":"AGENT","attributes":{"agent.name":"executor"}},{"id":"t1","kind":"TOOL","attributes":{"tool.name":"k8s.delete_namespace","tool.privilege":"destructive"}}]}
+      expected: triggered
+      description: "Two AGENT spans without any setting human_approval=true; destructive tool fires"
+    - input: |
+        {"spans":[{"id":"a1","kind":"AGENT","attributes":{"agent.name":"sub_orchestrator","human_approval_status":"approved"}},{"id":"t1","kind":"TOOL","attributes":{"tool.name":"prod.deploy","tool.privilege":"destructive"}}]}
+      expected: triggered
+      description: "Non-canonical approval attribute name (human_approval_status string instead of human_approval boolean) — not recognized, rule fires correctly. Documents the limitation that approval-signal vocabulary is not standardized across frameworks."
+
+  true_negatives:
+    - input: |
+        {"spans":[{"id":"a1","kind":"AGENT","attributes":{"agent.name":"approver","human_approval":true}},{"id":"t1","kind":"TOOL","attributes":{"tool.name":"file.read","tool.privilege":"read"}},{"id":"t2","kind":"TOOL","attributes":{"tool.name":"db.truncate","tool.privilege":"destructive"}}]}
+      expected: not_triggered
+      description: "Approval span IS present before destructive tool — no violation"
+    - input: |
+        {"spans":[{"id":"a1","kind":"AGENT","attributes":{"agent.name":"executor","human_approval":true}},{"id":"t1","kind":"TOOL","attributes":{"tool.name":"db.drop_table","tool.privilege":"destructive"}}]}
+      expected: not_triggered
+      description: "human_approval=true on preceding AGENT span — invariant satisfied"
+    - input: |
+        {"spans":[{"id":"a1","kind":"AGENT","attributes":{"agent.name":"reader"}},{"id":"t1","kind":"TOOL","attributes":{"tool.name":"file.read","tool.privilege":"read"}}]}
+      expected: not_triggered
+      description: "Tool privilege is read, not destructive — rule does not apply"
+    - input: |
+        {"spans":[{"id":"a1","kind":"AGENT","attributes":{"agent.name":"plan"}},{"id":"t1","kind":"TOOL","attributes":{"tool.name":"file.write","tool.privilege":"write"}}]}
+      expected: not_triggered
+      description: "write privilege (not destructive) — rule does not apply"
+    - input: |
+        {"spans":[{"id":"a1","kind":"AGENT","attributes":{"agent.name":"thinker"}}]}
+      expected: not_triggered
+      description: "No TOOL span at all — nothing to check"
+    - input: |
+        {"spans":[{"id":"a1","kind":"AGENT","attributes":{"human_approval":true}},{"id":"a2","kind":"AGENT","attributes":{"agent.name":"executor"}},{"id":"t1","kind":"TOOL","attributes":{"tool.name":"db.drop_index","tool.privilege":"destructive"}},{"id":"t2","kind":"TOOL","attributes":{"tool.name":"db.drop_index","tool.privilege":"destructive"}}]}
+      expected: not_triggered
+      description: "Approval covers all subsequent destructive spans within the trace"
+    - input: |
+        {"spans":[{"id":"h1","kind":"HUMAN","attributes":{"action":"approved"}},{"id":"t1","kind":"TOOL","attributes":{"tool.name":"db.drop_table","tool.privilege":"destructive"}}]}
+      expected: not_triggered
+      description: "Dedicated HUMAN span kind (LangChain HITL convention) — one_of_shapes branch matches, rule does not fire"