From 94a54af09d48a2b45bca73714837981e0b68d626 Mon Sep 17 00:00:00 2001 From: Mackenzie Zastrow Date: Fri, 29 May 2026 16:20:38 -0400 Subject: [PATCH 1/2] docs: add security warnings to http_request and file_editor vended tools The Bash vended tool has an explicit security warning, but the http_request and file_editor tools were missing equivalent guidance despite also crossing important security boundaries. Add comparable warnings to their READMEs and the vended-tools documentation page. --- .../docs/user-guide/concepts/tools/vended-tools.mdx | 6 +++++- strands-ts/src/vended-tools/file-editor/README.md | 12 ++++++++++++ strands-ts/src/vended-tools/http-request/README.md | 11 +++++++++++ 3 files changed, 28 insertions(+), 1 deletion(-) diff --git a/site/src/content/docs/user-guide/concepts/tools/vended-tools.mdx b/site/src/content/docs/user-guide/concepts/tools/vended-tools.mdx index fd2e90346a..f27ec1a557 100644 --- a/site/src/content/docs/user-guide/concepts/tools/vended-tools.mdx +++ b/site/src/content/docs/user-guide/concepts/tools/vended-tools.mdx @@ -37,7 +37,7 @@ Gives your agent the ability to read and modify files on disk — useful for cod _Supported in: Node.js only._ :::caution[Security Warning] -This tool reads and writes files with the full permissions of the Node.js process. Only use with trusted input and consider running in a sandboxed environment for production. +This tool reads and writes files at arbitrary absolute paths with the full permissions of the Node.js process. Only use with trusted input and consider running in a sandboxed environment (containers, VMs) or implementing filesystem allowlists for production. ::: **Example:** @@ -57,6 +57,10 @@ Lets your agent call external APIs and fetch web content. Supports all HTTP meth _Supported in: Node.js 20+, modern browsers._ +:::caution[Security Warning] +This tool makes HTTP requests to arbitrary URLs without restrictions on destination. Only use with trusted input and consider implementing URL allowlists, blocking private network ranges, and running in sandboxed environments for production. +::: + **Example:** ```typescript --8<-- "user-guide/concepts/tools/vended-tools-imports.ts:http_request_import" diff --git a/strands-ts/src/vended-tools/file-editor/README.md b/strands-ts/src/vended-tools/file-editor/README.md index 52b4f8775b..df6ebc60df 100644 --- a/strands-ts/src/vended-tools/file-editor/README.md +++ b/strands-ts/src/vended-tools/file-editor/README.md @@ -2,6 +2,18 @@ A filesystem editor tool for viewing, creating, and editing files programmatically. Provides string replacement, line insertion, and directory viewing with security validation. +## ⚠️ Security Warning + +**This tool reads and writes files at arbitrary absolute paths without sandboxing or workspace restrictions.** + +- Only use with trusted input +- File operations execute with the full permissions of the Node.js process +- The tool does not restrict access to a project directory, workspace, or configured allowlist +- For production deployments, consider running in a sandboxed environment (containers, VMs, etc.) or implementing filesystem access controls +- Consider restricting writable paths to a specific workspace directory +- Never expose this tool to untrusted users or untrusted prompt input without additional security measures +- If agent tool calls may be influenced by external content (documents, web pages, user messages), implement path validation to prevent unintended file modifications + ## Features - **View files** with line numbers and optional line range support diff --git a/strands-ts/src/vended-tools/http-request/README.md b/strands-ts/src/vended-tools/http-request/README.md index f2bf6c91a2..f7f3fad5b8 100644 --- a/strands-ts/src/vended-tools/http-request/README.md +++ b/strands-ts/src/vended-tools/http-request/README.md @@ -2,6 +2,17 @@ A cross-platform HTTP request tool for making HTTP requests to external APIs from Strands agents. +## ⚠️ Security Warning + +**This tool makes HTTP requests to arbitrary URLs without restrictions on destination.** + +- Only use with trusted input +- Requests execute with the network access of the host process +- For production deployments, consider implementing URL allowlists to restrict accessible domains +- Consider blocking requests to localhost, private IP ranges (10.x, 172.16-31.x, 192.168.x), link-local addresses (169.254.x), and cloud metadata endpoints (e.g., 169.254.169.254) +- Never expose this tool to untrusted users or untrusted prompt input without additional security measures +- If agent tool calls may be influenced by external content (documents, web pages, user messages), implement URL validation to prevent SSRF-style attacks + ## Features - **All HTTP Methods**: Supports GET, POST, PUT, DELETE, PATCH, HEAD, and OPTIONS From e4a37facd0ff37d2a2c0d842e3936dbb6bb91d93 Mon Sep 17 00:00:00 2001 From: Mackenzie Zastrow Date: Fri, 29 May 2026 16:25:01 -0400 Subject: [PATCH 2/2] docs: simplify security warnings to recommend sandboxing only Remove references to allowlists, URL filtering, and path restrictions since the SDK does not provide those capabilities. Keep the guidance focused on sandboxing (containers, VMs) as the mitigation path. --- .../content/docs/user-guide/concepts/tools/vended-tools.mdx | 4 ++-- strands-ts/src/vended-tools/file-editor/README.md | 5 +---- strands-ts/src/vended-tools/http-request/README.md | 4 +--- 3 files changed, 4 insertions(+), 9 deletions(-) diff --git a/site/src/content/docs/user-guide/concepts/tools/vended-tools.mdx b/site/src/content/docs/user-guide/concepts/tools/vended-tools.mdx index f27ec1a557..89dbc86b8f 100644 --- a/site/src/content/docs/user-guide/concepts/tools/vended-tools.mdx +++ b/site/src/content/docs/user-guide/concepts/tools/vended-tools.mdx @@ -37,7 +37,7 @@ Gives your agent the ability to read and modify files on disk — useful for cod _Supported in: Node.js only._ :::caution[Security Warning] -This tool reads and writes files at arbitrary absolute paths with the full permissions of the Node.js process. Only use with trusted input and consider running in a sandboxed environment (containers, VMs) or implementing filesystem allowlists for production. +This tool reads and writes files at arbitrary absolute paths with the full permissions of the Node.js process. Only use with trusted input and consider running in a sandboxed environment (containers, VMs) for production. ::: **Example:** @@ -58,7 +58,7 @@ Lets your agent call external APIs and fetch web content. Supports all HTTP meth _Supported in: Node.js 20+, modern browsers._ :::caution[Security Warning] -This tool makes HTTP requests to arbitrary URLs without restrictions on destination. Only use with trusted input and consider implementing URL allowlists, blocking private network ranges, and running in sandboxed environments for production. +This tool makes HTTP requests to arbitrary URLs without restrictions on destination. Only use with trusted input and consider running in a sandboxed environment (containers, VMs) for production. ::: **Example:** diff --git a/strands-ts/src/vended-tools/file-editor/README.md b/strands-ts/src/vended-tools/file-editor/README.md index df6ebc60df..e61dc22b8a 100644 --- a/strands-ts/src/vended-tools/file-editor/README.md +++ b/strands-ts/src/vended-tools/file-editor/README.md @@ -8,11 +8,8 @@ A filesystem editor tool for viewing, creating, and editing files programmatical - Only use with trusted input - File operations execute with the full permissions of the Node.js process -- The tool does not restrict access to a project directory, workspace, or configured allowlist -- For production deployments, consider running in a sandboxed environment (containers, VMs, etc.) or implementing filesystem access controls -- Consider restricting writable paths to a specific workspace directory +- For production deployments, consider running in a sandboxed environment (containers, VMs, etc.) - Never expose this tool to untrusted users or untrusted prompt input without additional security measures -- If agent tool calls may be influenced by external content (documents, web pages, user messages), implement path validation to prevent unintended file modifications ## Features diff --git a/strands-ts/src/vended-tools/http-request/README.md b/strands-ts/src/vended-tools/http-request/README.md index f7f3fad5b8..45d6e444e7 100644 --- a/strands-ts/src/vended-tools/http-request/README.md +++ b/strands-ts/src/vended-tools/http-request/README.md @@ -8,10 +8,8 @@ A cross-platform HTTP request tool for making HTTP requests to external APIs fro - Only use with trusted input - Requests execute with the network access of the host process -- For production deployments, consider implementing URL allowlists to restrict accessible domains -- Consider blocking requests to localhost, private IP ranges (10.x, 172.16-31.x, 192.168.x), link-local addresses (169.254.x), and cloud metadata endpoints (e.g., 169.254.169.254) +- For production deployments, consider running in a sandboxed environment (containers, VMs, etc.) - Never expose this tool to untrusted users or untrusted prompt input without additional security measures -- If agent tool calls may be influenced by external content (documents, web pages, user messages), implement URL validation to prevent SSRF-style attacks ## Features