janito 2.5.1__py3-none-any.whl → 2.6.0__py3-none-any.whl

janito/tools/adapters/local/validate_file_syntax/yaml_validator.py

@@ -1,6 +1,6 @@
-def validate_yaml(file_path: str) -> str:
+def validate_yaml(path: str) -> str:
     import yaml
 
-    with open(file_path, "r", encoding="utf-8") as f:
+    with open(path, "r", encoding="utf-8") as f:
         yaml.safe_load(f)
     return "✅ OK"

janito/tools/adapters/local/view_file.py

@@ -11,11 +11,11 @@ class ViewFileTool(ToolBase):
     Read lines from a file. You can specify a line range, or read the entire file by simply omitting the from_line and to_line parameters.
 
     Args:
-        file_path (str): Path to the file to read lines from.
+        path (str): Path to the file to read lines from.
         from_line (int, optional): Starting line number (1-based). Omit to start from the first line.
         to_line (int, optional): Ending line number (1-based). Omit to read to the end of the file.
 
-    To read the full file, just provide file_path and leave from_line and to_line unset.
+    To read the full file, just provide path and leave from_line and to_line unset.
 
     Returns:
         str: File content with a header indicating the file name and line range. Example:
@@ -28,19 +28,19 @@ class ViewFileTool(ToolBase):
     permissions = ToolPermissions(read=True)
     tool_name = "view_file"
 
-    def run(self, file_path: str, from_line: int = None, to_line: int = None) -> str:
+    def run(self, path: str, from_line: int = None, to_line: int = None) -> str:
         import os
         from janito.tools.tool_utils import display_path
 
-        disp_path = display_path(file_path)
+        disp_path = display_path(path)
         self.report_action(
             tr("📖 View '{disp_path}'", disp_path=disp_path),
             ReportAction.READ,
         )
         try:
-            if os.path.isdir(file_path):
-                return self._list_directory(file_path, disp_path)
-            lines = self._read_file_lines(file_path)
+            if os.path.isdir(path):
+                return self._list_directory(path, disp_path)
+            lines = self._read_file_lines(path)
             selected, selected_len, total_lines = self._select_lines(
                 lines, from_line, to_line
             )
@@ -56,16 +56,16 @@ class ViewFileTool(ToolBase):
             self.report_error(tr(" ❌ Error: {error}", error=e))
             return tr("Error reading file: {error}", error=e)
 
-    def _list_directory(self, file_path, disp_path):
+    def _list_directory(self, path, disp_path):
         import os
 
         try:
-            entries = os.listdir(file_path)
+            entries = os.listdir(path)
             entries.sort()
             # Suffix subdirectories with '/'
             formatted_entries = []
             for entry in entries:
-                full_path = os.path.join(file_path, entry)
+                full_path = os.path.join(path, entry)
                 if os.path.isdir(full_path):
                     formatted_entries.append(entry + "/")
                 else:
@@ -80,9 +80,9 @@ class ViewFileTool(ToolBase):
             self.report_error(tr(" ❌ Error listing directory: {error}", error=e))
             return tr("Error listing directory: {error}", error=e)
 
-    def _read_file_lines(self, file_path):
+    def _read_file_lines(self, path):
         """Read all lines from the file."""
-        with open(file_path, "r", encoding="utf-8", errors="replace") as f:
+        with open(path, "r", encoding="utf-8", errors="replace") as f:
             return f.readlines()
 
     def _select_lines(self, lines, from_line, to_line):

janito/tools/path_security.py

@@ -0,0 +1,204 @@
+"""janito.tools.path_security
+================================
+Utilities that ensure user-supplied file-system paths never escape the allowed
+workspace.
+
+Public interface
+----------------
+
+``is_path_within_workdir(path, workdir)``
+    Verify that *path* is located **inside** *workdir* (or equals it).  If
+    *workdir* is *None* every path is accepted.
+
+``validate_paths_in_arguments(arguments, workdir, *, schema=None)``
+    Inspect a mapping of arguments (typically the kwargs that will later be
+    passed to a tool adapter).  Any item whose key *looks* like it refers to a
+    path is validated with :func:`is_path_within_workdir`.  If a JSON Schema for
+    the tool is provided, the keys that explicitly represent paths are derived
+    from it.  Otherwise a simple heuristic based on the key name is used.
+
+Both helpers raise :class:`PathSecurityError` if a path tries to escape the
+workspace.
+"""
+from __future__ import annotations
+
+import os
+from typing import Any, Mapping
+
+__all__ = [
+    "PathSecurityError",
+    "is_path_within_workdir",
+    "validate_paths_in_arguments",
+]
+
+
+# ---------------------------------------------------------------------------
+# Exceptions
+# ---------------------------------------------------------------------------
+
+
+class PathSecurityError(Exception):
+    """Raised when an argument references a location outside the workspace."""
+
+
+# ---------------------------------------------------------------------------
+# Public helpers
+# ---------------------------------------------------------------------------
+
+
+def is_path_within_workdir(path: str, workdir: str | None) -> bool:  # noqa: D401 – we start with an imperative verb  # noqa: D401 – we start with an imperative verb
+    """Return *True* if *path* is located inside *workdir* (or equals it).
+
+    Relative *path*s are **resolved relative to the *workdir***, *not* to the
+    current working directory.  This behaviour makes the security checks
+    deterministic regardless of the directory from which the Python process was
+    started.
+
+    Implementation details
+    ----------------------
+    The function converts both *workdir* and *path* to absolute paths and then
+    uses :func:`os.path.commonpath` to determine the longest common sub-path.  A
+    path is considered *inside* the workspace when that common part equals the
+    workspace directory itself.
+    """
+    if not workdir:
+        # No workdir configured – everything is implicitly allowed.
+        return True
+
+    abs_workdir = os.path.abspath(workdir)
+
+    # Resolve *path* – if it is *relative* we interpret it **relative to the
+    # workspace** (and *not* to the current working directory!) so that a value
+    # like '.' always points inside the workspace.
+    if os.path.isabs(path):
+        abs_path = os.path.abspath(path)
+    else:
+        abs_path = os.path.abspath(os.path.join(abs_workdir, path))
+
+    try:
+        common_part = os.path.commonpath([abs_workdir, abs_path])
+    except ValueError:
+        # On Windows different drive letters cause ValueError → definitely
+        # outside the workspace.
+        return False
+
+    # Additionally allow files located inside the system temporary directory.
+    import tempfile
+    abs_tempdir = os.path.abspath(tempfile.gettempdir())
+    try:
+        common_temp = os.path.commonpath([abs_tempdir, abs_path])
+    except ValueError:
+        common_temp = None
+    if common_temp == abs_tempdir:
+        return True
+
+    return common_part == abs_workdir
+
+
+# ---------------------------------------------------------------------------
+# Helper for tool adapters
+# ---------------------------------------------------------------------------
+
+
+def _looks_like_path_key(key: str) -> bool:
+    """Return *True* when *key* likely refers to a file-system path."""
+    key_lower = key.lower()
+    if key_lower in {
+        "path",
+        "paths",
+        "filepath",
+        "file",
+        "filename",
+        "directory",
+        "directories",
+        "dir",
+        "dirs",
+        "target",
+        "targets",
+        "source",
+        "sources",
+    }:
+        return True
+
+    common_suffixes = ("path", "paths", "file", "dir", "dirs")
+    return key_lower.endswith(common_suffixes)
+
+
+def _extract_path_keys_from_schema(schema: Mapping[str, Any]) -> set[str]:
+    """Extract keys that represent paths from the provided JSON schema."""
+    path_keys: set[str] = set()
+    if schema is not None:
+        for k, v in schema.get("properties", {}).items():
+            if (
+                v.get("format") == "path"
+                or (
+                    v.get("type") == "string"
+                    and (
+                        "path" in v.get("description", "").lower()
+                        or k.endswith("path")
+                        or k == "path"
+                    )
+                )
+            ):
+                path_keys.add(k)
+    return path_keys
+
+def _validate_argument_value(key: str, value: Any, workdir: str) -> None:
+    """Validate a single argument value (string or list of strings) for path security."""
+    # Single string argument → validate directly.
+    if isinstance(value, str) and value.strip():
+        if not is_path_within_workdir(value, workdir):
+            _raise_outside_workspace_error(key, value, workdir)
+    # Sequence of potential paths → validate every item.
+    elif isinstance(value, list):
+        for item in value:
+            if isinstance(item, str) and item.strip():
+                if not is_path_within_workdir(item, workdir):
+                    _raise_outside_workspace_error(key, item, workdir)
+
+def validate_paths_in_arguments(
+    arguments: Mapping[str, Any] | None,
+    workdir: str | None,
+    *,
+    schema: Mapping[str, Any] | None = None,
+) -> None:
+    """Ensure every *path-looking* value in *arguments* is inside *workdir*.
+
+    The function walks through *arguments* and raises :class:`PathSecurityError`
+    if it finds a suspicious path that points outside the allowed workspace.
+
+    If *schema* is given it is expected to be the JSON Schema describing the
+    tool's arguments (as produced by ``janito.tools.inspect_registry``).  Keys
+    whose schema declares a ``"format": "path"`` or mentions "path" in the
+    description are treated as path parameters.  Without a schema the function
+    falls back to a simple heuristic based on the argument name.
+    """
+    if not workdir or not arguments:
+        return
+
+    path_keys = _extract_path_keys_from_schema(schema) if schema is not None else set()
+
+    for key, value in arguments.items():
+        key_is_path = key in path_keys or _looks_like_path_key(key)
+        if not key_is_path:
+            continue
+        _validate_argument_value(key, value, workdir)
+
+
+# ---------------------------------------------------------------------------
+# Internal helpers
+# ---------------------------------------------------------------------------
+
+
+def _raise_outside_workspace_error(key: str, path: str, workdir: str) -> None:  # noqa: D401
+    """Raise a consistent :class:`PathSecurityError` for *path*."""
+    abs_workdir = os.path.abspath(workdir)
+    attempted = (
+        os.path.abspath(path)
+        if os.path.isabs(path)
+        else os.path.abspath(os.path.join(abs_workdir, path))
+    )
+    raise PathSecurityError(
+        f"Argument '{key}' path '{path}' is not within allowed workdir '{workdir}' "
+        f"[attempted path: {attempted}]"
+    )

janito/tools/tool_use_tracker.py

@@ -22,10 +22,10 @@ class ToolUseTracker:
         return cls._instance
 
     def record(self, tool_name: str, params: Dict[str, Any], result: Any = None):
-        # Normalize file_path in params if present
+        # Normalize path in params if present
         norm_params = params.copy()
-        if "file_path" in norm_params:
-            norm_params["file_path"] = normalize_path(norm_params["file_path"])
+        if "path" in norm_params:
+            norm_params["path"] = normalize_path(norm_params["path"])
         self._history.append(
             {"tool": tool_name, "params": norm_params, "result": result}
         )
@@ -33,26 +33,26 @@ class ToolUseTracker:
     def get_history(self) -> List[Dict[str, Any]]:
         return list(self._history)
 
-    def get_operations_on_file(self, file_path: str) -> List[Dict[str, Any]]:
-        norm_file_path = normalize_path(file_path)
+    def get_operations_on_file(self, path: str) -> List[Dict[str, Any]]:
+        norm_path = normalize_path(path)
         ops = []
         for entry in self._history:
             params = entry["params"]
             # Normalize any string param values for comparison
             for v in params.values():
-                if isinstance(v, str) and normalize_path(v) == norm_file_path:
+                if isinstance(v, str) and normalize_path(v) == norm_path:
                     ops.append(entry)
                     break
         return ops
 
-    def file_fully_read(self, file_path: str) -> bool:
-        norm_file_path = normalize_path(file_path)
+    def file_fully_read(self, path: str) -> bool:
+        norm_path = normalize_path(path)
         for entry in self._history:
             if entry["tool"] == "view_file":
                 params = entry["params"]
                 if (
-                    "file_path" in params
-                    and normalize_path(params["file_path"]) == norm_file_path
+                    "path" in params
+                    and normalize_path(params["path"]) == norm_path
                 ):
                     # If both from_line and to_line are None, full file was read
                     if (
@@ -62,8 +62,8 @@ class ToolUseTracker:
                         return True
         return False
 
-    def last_operation_is_full_read_or_replace(self, file_path: str) -> bool:
-        ops = self.get_operations_on_file(file_path)
+    def last_operation_is_full_read_or_replace(self, path: str) -> bool:
+        ops = self.get_operations_on_file(path)
         if not ops:
             return False
         last = ops[-1]

janito/tools/tools_adapter.py

@@ -162,60 +162,92 @@ class ToolsAdapterBase:
         tool = self.get_tool(tool_name)
         self._ensure_tool_exists(tool, tool_name, request_id, arguments)
         func = self._get_tool_callable(tool)
-        # First, validate arguments against the callable signature to catch unexpected / missing params
+
+        validation_error = self._validate_tool_arguments(tool, func, arguments, tool_name, request_id)
+        if validation_error:
+            return validation_error
+
+        # --- SECURITY: Path restriction enforcement ---
+        if not getattr(self, 'unrestricted_paths', False):
+            workdir = getattr(self, 'workdir', None)
+            # Ensure workdir is always set; default to current working directory.
+            if not workdir:
+                import os
+                workdir = os.getcwd()
+            from janito.tools.path_security import validate_paths_in_arguments, PathSecurityError
+            schema = getattr(tool, 'schema', None)
+            try:
+                validate_paths_in_arguments(arguments, workdir, schema=schema)
+            except PathSecurityError as sec_err:
+                # Publish both a ToolCallError and a user-facing ReportEvent for path security errors
+                self._publish_tool_call_error(tool_name, request_id, str(sec_err), arguments)
+                if self._event_bus:
+                    from janito.report_events import ReportEvent, ReportSubtype, ReportAction
+                    self._event_bus.publish(
+                        ReportEvent(
+                            subtype=ReportSubtype.ERROR,
+                            message=f"[SECURITY] Path access denied: {sec_err}",
+                            action=ReportAction.EXECUTE,
+                            tool=tool_name,
+                            context={"arguments": arguments, "request_id": request_id}
+                        )
+                    )
+                return f"Security error: {sec_err}"
+        # --- END SECURITY ---
+
+        self._publish_tool_call_started(tool_name, request_id, arguments)
+        self._print_verbose(f"[tools-adapter] Executing tool: {tool_name} with arguments: {arguments}")
+        try:
+            result = self.execute(tool, **(arguments or {}), **kwargs)
+        except Exception as e:
+            self._handle_execution_error(tool_name, request_id, e, arguments)
+        self._print_verbose(f"[tools-adapter] Tool execution finished: {tool_name} -> {result}")
+        self._publish_tool_call_finished(tool_name, request_id, result)
+        return result
+
+    def _validate_tool_arguments(self, tool, func, arguments, tool_name, request_id):
         sig_error = self._validate_arguments_against_signature(func, arguments)
         if sig_error:
-            if self._event_bus:
-                self._event_bus.publish(
-                    ToolCallError(
-                        tool_name=tool_name,
-                        request_id=request_id,
-                        error=sig_error,
-                        arguments=arguments,
-                    )
-                )
+            self._publish_tool_call_error(tool_name, request_id, sig_error, arguments)
             return sig_error
-
-        # Optionally validate against JSON schema if available
         schema = getattr(tool, "schema", None)
         if schema and arguments is not None:
-            validation_error = self._validate_arguments_against_schema(
-                arguments, schema
-            )
+            validation_error = self._validate_arguments_against_schema(arguments, schema)
             if validation_error:
-                if self._event_bus:
-                    self._event_bus.publish(
-                        ToolCallError(
-                            tool_name=tool_name,
-                            request_id=request_id,
-                            error=validation_error,
-                            arguments=arguments,
-                        )
-                    )
+                self._publish_tool_call_error(tool_name, request_id, validation_error, arguments)
                 return validation_error
-        if self.verbose_tools:
-            print(
-                f"[tools-adapter] Executing tool: {tool_name} with arguments: {arguments}"
+        return None
+
+    def _publish_tool_call_error(self, tool_name, request_id, error, arguments):
+        if self._event_bus:
+            self._event_bus.publish(
+                ToolCallError(
+                    tool_name=tool_name,
+                    request_id=request_id,
+                    error=error,
+                    arguments=arguments,
+                )
             )
+
+    def _publish_tool_call_started(self, tool_name, request_id, arguments):
         if self._event_bus:
             self._event_bus.publish(
                 ToolCallStarted(
                     tool_name=tool_name, request_id=request_id, arguments=arguments
                 )
             )
-        try:
-            result = self.execute(tool, **(arguments or {}), **kwargs)
-        except Exception as e:
-            self._handle_execution_error(tool_name, request_id, e, arguments)
-        if self.verbose_tools:
-            print(f"[tools-adapter] Tool execution finished: {tool_name} -> {result}")
+
+    def _publish_tool_call_finished(self, tool_name, request_id, result):
         if self._event_bus:
             self._event_bus.publish(
                 ToolCallFinished(
                     tool_name=tool_name, request_id=request_id, result=result
                 )
             )
-        return result
+
+    def _print_verbose(self, message):
+        if self.verbose_tools:
+            print(message)
 
     def execute_function_call_message_part(self, function_call_message_part):
         """