Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lack of Input Validation in agent_registry.py #766

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Lack of Input Validation in agent_registry.py #766

wants to merge 5 commits into from

Conversation

nathanogaga118
Copy link

@nathanogaga118 nathanogaga118 commented Jan 28, 2025
edited by github-actions bot
Loading

Vulnerable File: agent_registry.py

Vulnerable Function:

https://github.com/kyegomez/swarms/blob/master/swarms/structs/agent_registry.py

def add(self, agent: Agent) -> None:
"""
Adds a new agent to the registry.

Args:
    agent (Agent): The agent to add.

Raises:
    ValueError: If the agent_name already exists in the registry.
    ValidationError: If the input data is invalid.
"""
name = agent.agent_name  # No validation for agent_name

self.agent_to_py_model(agent)

with self.lock:
    if name in self.agents:
        logger.error(
            f"Agent with name {name} already exists."
        )
        raise ValueError(
            f"Agent with name {name} already exists."
        )
    try:
        self.agents[name] = agent
        logger.info(f"Agent {name} added successfully.")
    except ValidationError as e:
        logger.error(f"Validation error: {e}")
        raise

Description:

The add function in agent_registry.py lacks proper input validation for the agent_name. The function assumes that agent_name is valid and does not check for conditions such as being None, empty, or non-string. This oversight can lead to unexpected behavior, data corruption, and potential security vulnerabilities.

Impact:

Unexpected Behavior: Without validation, the system may accept invalid agent names, leading to errors when attempting to retrieve, update, or delete agents.

Data Corruption: Invalid entries could corrupt the registry, affecting other operations and leading to inconsistent states.
Security Risks: If the system is exposed to user inputs, attackers might exploit this lack of validation to inject harmful data or cause denial of service.

Severity: high-medium

it can cause significant operational issues.

Proof of Concept (PoC):

Mock Agent class for demonstration
class Agent:
def init(self, agent_name, description=None):
self.agent_name = agent_name
self.description = description

def to_dict(self):
    return {"agent_name": self.agent_name, "description": self.description}

Initialize the registry
registry = AgentRegistry()

Malicious or malformed input

malformed_agent_name = None # Invalid agent name
malformed_agent = Agent(agent_name=malformed_agent_name)

Attempt to add the malformed agent
try:
registry.add(malformed_agent)
except ValueError as e:
print(f"Caught ValueError: {e}")
except Exception as e:
print(f"Caught unexpected exception: {e}")

Steps to Reproduce:

Create an instance of the AgentRegistry class.

Define an agent with a malformed agent_name (e.g., None).

Attempt to add the agent to the registry using the add function.

Observe the lack of validation leading to unexpected behavior or errors.

Recommended Fix:

Implement input validation in the add function to ensure that agent_name is a valid, non-empty string before proceeding with the addition.

Fixed Code:

def add(self, agent: Agent) -> None:
"""
Adds a new agent to the registry.

Args:
    agent (Agent): The agent to add.

Raises:
    ValueError: If the agent_name already exists in the registry or is invalid.
    ValidationError: If the input data is invalid.
"""
name = agent.agent_name

# Input validation for agent_name
if not name or not isinstance(name, str):
    logger.error("Invalid agent name provided.")
    raise ValueError("Invalid agent name provided.")

self.agent_to_py_model(agent)

with self.lock:
    if name in self.agents:
        logger.error(
            f"Agent with name{name} already exists."
        )
        raise ValueError(
            f"Agent with name {name} already exists."
        )
    try:
        self.agents[name] = agent
        logger.info(f"Agent {name} added successfully.")
    except ValidationError as e:
        logger.error(f"Validation error: {e}")
        raise

Explanation of Fix:

Input Validation: Added a check to ensure that agent_name is a non-empty string. This prevents invalid names from being processed, reducing the risk of unexpected behavior or data corruption.

📚 Documentation preview 📚: https://swarms--766.org.readthedocs.build/en/766/

@nathanogaga118
Copy link
Author

FzHhSiLUXrNsAg1uFrkXhaDYiMsvaF7ih38yUX4y1gzJ

Swarms Solana wallet address

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
structs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@nathanogaga118