Proposal (re security): Require manual approval to access files outside of project directory and other sensitive files #1063
Replies: 4 comments 2 replies
-
|
Adding to this, is pretty common to have a .env on the project structure, and the model shouldn't be allowed to read it. I would add another option as "Require manual approval for access to git-ignored files" Buuut, I think it's better to have the safest configuration as default, I would change your proposal to the opposite [x] Auto-Approve read-only operations [x] Auto-Approve write operations |
Beta Was this translation helpful? Give feedback.
-
|
100% agree. Great suggestion re git-ignored files. |
Beta Was this translation helpful? Give feedback.
-
|
Or potentially could just have one additional checkbox somewhere in settings to allow auto-approving access to files outside of the workspace, defaulting to off? I think we could reuse some of the rooignore infrastructure for these checks. |
Beta Was this translation helpful? Give feedback.
-
|
Could we please enable configurable allowlists of directories that are automatically approved for read? I really enjoy the comfort of explicitly configuring Roo to never read sensitive things outside the workspace, but would love to be able to let it auto-approve reading harmless things from outside the workspace, e.g. other sources in Another example of a helpful allowlisted location would be caches, e.g. |
Beta Was this translation helpful? Give feedback.
-
|
I think this can be closed, right? |
Beta Was this translation helpful? Give feedback.
-
|
See my comment, I think a valuable feature is still missing: #1063 (comment) |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Currently the auto-approval options for file access are essentially granting access to read and write any files on our computers and attached network drives. You can test this by asking the AI to read a file elsewhere on your disk, and while it may initially think it is not able to, it definitely is.
So activating auto-approval requires a tremendous amount of trust in not only the extension but more importantly various cloud-hosted LLMs with their own potential quirks and vulnerabilities.
I believe one of the goals of the project is to be able to sit back and let the agent(s) do the work, watching them search, read files, make changes, hand off control between each other, etc. It's a fantastic vision. But it doesn't really work smoothly if we have to click to approve each file access.
So I am proposing new sub-options under the "Auto-Approve Settings" panel, like here (the
...lines are the new sub-options):These would appear when the respective option was selected, and ideally default to checked (requiring manual approval).
This would allow many more users in more sensitive environments to use these tools and new models with comfort and confidence, and hopefully be easy and self-explanatory.
There may be better ways of exposing this, there may be edge cases (eg it could still run a command that reads an outside file), maybe this should be an option elsewhere not even related to auto-approval, or maybe something like this already exists... I'm posting this to open the discussion.
--
(Side note: A possible hacky workaround I rejected was related to seeing the "Edit Files" tool support of manually setting a fileRegex which controls which files it has access to. But this is a bit awkward and more suited for specifying "Markdown files only" or "CSS files only" etc. It shouldn't be hijacked for security purposes. Plus the other tools including "Read Files" don't even have this fileRegex mode support.)
P.S. Just started using Roo and it's fantastic so far!
Beta Was this translation helpful? Give feedback.
All reactions