Roo Code Search Tool Vulnerability Allows Unauthorized File Reads and Information Leakage

A moderate severity vulnerability exists in the Roo Code AI coding agent, specifically in versions prior to 3.20.3. The issue arises because the agent's 'search_files' tool ignored settings meant to prevent reading files outside the designated Visual Studio Code workspace. This oversight could allow an attacker, already capable of injecting prompts into the agent, to access sensitive files and transfer that information into a JSON schema. Although users can disable schema fetching in VS Code, this option is enabled by default, potentially leading to unauthorized network requests without user consent.

Impact

Exploitation of this vulnerability could result in unauthorized access to sensitive files, with the read information being sent over the network, according to the JSON schema.

Reproduction

The vulnerability can be reproduced by injecting a prompt into the Roo Code agent that prompts the 'search_files' tool to read files outside the current workspace. This can be done by exploiting the tool's default behavior, which does not adhere to workspace boundaries. Once a file is read, the information can be written to a JSON schema, triggering an automatic network request.

Remediation

Users can update to Roo Code version 3.20.3 or later, where this issue has been fixed. The update ensures that the 'search_files' tool respects workspace boundaries, reducing the risk of unauthorized file access.