Skip to content

fix: prevent Plan mode bypass via sub-agent spawning #9254

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Ashwinhegde19 wants to merge 12 commits into
base: dev
Choose a base branch
from
Open

fix: prevent Plan mode bypass via sub-agent spawning #9254

Ashwinhegde19 wants to merge 12 commits into from

Conversation

@Ashwinhegde19
Copy link

@Ashwinhegde19 Ashwinhegde19 commented Jan 18, 2026

Summary

Fixes #6527 - Plan Mode Security Bypass via Sub-Agent Spawning

When a parent session operates under Plan mode (edit="deny"), sub-agents spawned via the task tool could previously bypass these restrictions and gain full edit capabilities.

Changes

  • Added hasPlanRestrictions() function to detect Plan mode sessions
  • Added planPermissions() function returning permission rules that deny edit tools
  • Modified TaskTool to:
    • Force sub-agents to use the "plan" agent when parent has edit restrictions
    • Pass inherited permission rules to sub-agent sessions
    • Explicitly disable edit, write, patch, and multiedit tools

Security Impact

This closes a permission escalation vulnerability where spawning sub-agents via the task tool could circumvent intended read-only constraints in Plan mode.

Testing

Added 18 new tests covering:

  • Plan mode detection logic
  • Permission rule generation
  • Agent availability filtering
  • Permission evaluation
  • End-to-end security scenarios

All 770 tests pass.

google-labs-jules bot and others added 10 commits January 15, 2026 18:49
@google-labs-jules
fix(security): prevent path traversal via symlinks in File.read and F…
d312b4b 
…ile.list

Resolves a critical vulnerability where symlinks could be used to access files outside the project directory.
Implemented `fs.promises.realpath` validation to ensure the actual target path is within the allowed scope.
Added regression test in `packages/opencode/test/security/symlink.test.ts`.
@google-labs-jules
fix(security): prevent path traversal via symlinks in File.read and F…
0f1ca0a 
…ile.list

Resolves a critical vulnerability where symlinks could be used to access files outside the project directory.
Implemented `fs.promises.realpath` validation to ensure the actual target path is within the allowed scope.
Added regression test in `packages/opencode/test/security/symlink.test.ts`.

Fixes anomalyco#101
@Ashwinhegde19
Merge pull request #1 from Ashwinhegde19/fix/security-symlink-traversal
1a3d48d 
fix(security): prevent path traversal via symlinks
@google-labs-jules
fix(tui): resolve keybind conflicts and missing defaults (issue anoma…
4ea91fa 
…lyco#4997)

- Fix Ctrl+C behavior on Windows: copies selection if present, otherwise clears/exits.
- Resolve Ctrl+A conflict: move `model_provider_list` to `ctrl+alt+m`.
- Fix Navigation: map `ctrl+n`/`ctrl+p` to move down/up and history next/prev.
- Fix Multiline: ensure `shift+return` is mapped to newline.
- Fix Word Navigation: ensure `ctrl+left`/`ctrl+right` are mapped.
- Fix Word Deletion: ensure `alt+d` and `option+delete` are mapped.
@Ashwinhegde19
Merge pull request #2 from Ashwinhegde19/fix-keybinds-issue
8e98137 
fix(tui): resolve keybind conflicts and missing defaults
@Ashwinhegde19
Merge branch 'anomalyco:dev' into dev
98902c6
@Ashwinhegde19
Merge branch 'dev' into dev
54b77ca
@Ashwinhegde19
Merge branch 'anomalyco:dev' into dev
8346abd
@Ashwinhegde19
Merge branch 'anomalyco:dev' into dev
6c4b199
@Ashwinhegde19
Merge branch 'anomalyco:dev' into dev
6a0586d
@github-actions
Copy link
Contributor

github-actions bot commented Jan 18, 2026

The following comment was made by an LLM, it may be inaccurate:

Potential Duplicate Found:

Ashwinhegde19 and others added 2 commits January 18, 2026 20:13
@Ashwinhegde19
Merge branch 'anomalyco:dev' into dev
e9ce27c
@Ashwinhegde19
fix: prevent Plan mode bypass via sub-agent spawning (anomalyco#6527)
24aa3f2 
When a parent session operates under Plan mode (edit="deny"), sub-agents
spawned via the task tool could previously bypass these restrictions.

This fix ensures:
- Sub-agents inherit Plan mode restrictions from their parent session
- When parent has edit="deny", sub-agents are forced to use the "plan" agent
- Edit tools (edit, write, patch, multiedit) are explicitly disabled
- Inherited permission rules are passed to sub-agent sessions

Security: Closes a permission escalation vulnerability where task spawning
could circumvent intended read-only constraints.
@Ashwinhegde19 Ashwinhegde19 force-pushed the fix/plan-mode-subagent-bypass branch from 5b1fcdd to 24aa3f2 Compare January 18, 2026 14:47
@Ashwinhegde19
Copy link
Author

Ashwinhegde19 commented Jan 18, 2026

Rebased and squashed to a single clean commit. The PR now contains only the security fix for #6527 with no unrelated merge commits.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security Issue/Bug] Plan mode restrictions bypassed when spawning sub-agents

1 participant

@Ashwinhegde19