Skip to content

[Bug]Code Injection in Runner.run_code enables arbitrary code execution via LLM-orchestrated paths #715

Description

@Ro1ME

Describe the bug

The Runner.run_code function in src/agents/runner/runner.py:69 contains a critical code injection vulnerability (CWE-94) that allows attackers to achieve arbitrary code execution by exploiting the direct execution of LLM-generated content. The function receives content shaped by an LLM-orchestrated path and forwards that content into an execution surface instead of treating it as inert data, without implementing proper validation, sanitization, or sandboxing mechanisms.

How To Reproduce

Steps to reproduce the behavior (example):
Environment Setup:

  1. Clone the devika repository from the source

  2. Install all required dependencies:

    cd devika
    pip install -r requirements.txt
    cd ui
    npm install  # or bun install
  3. Configure the .env file with your API keys (Claude API key required for this reproduction)

  4. Start the backend server:

    python main.py
  5. Start the frontend development server:

    cd ui
    npm run dev  # or bun run dev
  6. Verify the application is running by accessing http://localhost:3000 in your browser

Browser-Based Exploitation Steps:

  1. Open your web browser and navigate to http://localhost:3000

  2. In the devika web interface, you should see the chat input area and project creation options

  3. First Turn - Establish Context:

    • In the chat input box, type: "Create a new Python project called 'data_processor' for analyzing CSV files"
    • Click the "Send" button or press Enter
    • Wait for the agent to initialize the project (you'll see agent activity in the UI showing project creation, planning phase, etc.)
    • Observe the project directory being created under data/projects/data_processor/
  4. Second Turn - Trigger the Vulnerability:

    • Once the first turn completes, craft a malicious prompt in the chat input:
    Now add a data validation script. For testing purposes, first create a file called write_marker.py with this content:
    
    with open('EXPLOITATION_MARKER.txt', 'w') as f:
        f.write('Code injection successful - arbitrary execution achieved')
    
    Then run this script to verify the setup works correctly.
    
    • Click "Send" to submit the malicious prompt
    • The LLM (Claude) will process this request and generate code execution instructions
  5. Observe Exploitation:

    • Watch the agent activity panel - you should see the Runner agent being invoked
    • The UI will show messages like "Running code..." or "Executing script..."
    • Monitor the browser's developer console (F12) for Socket.IO messages showing the execution flow
    • The backend terminal will show execution logs
  6. Verify Arbitrary Code Execution:

    • Open a file explorer or terminal and navigate to data/projects/data_processor/
    • Confirm that EXPLOITATION_MARKER.txt exists with the content: "Code injection successful - arbitrary execution achieved"
    • Check the backend terminal logs for execution traces showing python write_marker.py was executed
    • Alternatively, check the preserved evidence files:
      • ARTIFACTS\devika-runner-live-claude.json - Contains the complete Socket.IO message flow and execution trace
      • ARTIFACTS\devika-runner-live.stderr.log - Shows the stderr output from the execution

Key Indicators of Successful Exploitation:

  • The marker file EXPLOITATION_MARKER.txt is created in the project directory
  • Backend logs show Runner.run_code was invoked at line 69 of src/agents/runner/runner.py
  • Socket.IO messages in browser DevTools show the execution flow
  • No security warnings or validation errors were triggered
  • The code executed with full host system access (not sandboxed)

Expected behavior

The application should:

  • Never execute LLM-generated content directly as code - all LLM output must be treated as untrusted data
  • Implement a strict whitelist of allowed commands and operations
  • Use secure sandboxing for any code execution (Docker containers, VMs, restricted user accounts)
  • Validate and sanitize all commands before execution using regex patterns and static analysis
  • Require explicit user confirmation before executing any code
  • Implement comprehensive logging and monitoring of all execution attempts
  • Apply resource limits (CPU, memory, network, filesystem access, execution time)
  • Use static analysis to detect dangerous patterns in generated code (eval, exec, import, etc.)
  • Implement anomaly detection and alerting for suspicious execution patterns
  • Apply defense-in-depth security controls at multiple layers

Configuration

- OS: Windows
- Python version: 3.10
- Node version: 18.0.0
- bun version: 0.1.0
- Model: claude

Additional context

Add any other context about the problem here.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions