[DOCS] Security warning missing in Sandbox code examples using `docker.sock`
Documentation Type
Other
Documentation Location
docs/en/agent-sdk/python.md-docs/en/agent-sdk/typescript.md-docs/en/sandboxing.md
Section/Topic
- Sandbox Configuration / Example usage sections in the Python and TypeScript SDK references. - Security Limitations section in the Sandboxing guide.
Current Documentation
In docs/en/sandboxing.md under Security Limitations:
"Privilege Escalation via Unix Sockets: TheallowUnixSocketsconfiguration can inadvertently grant access to powerful system services that could lead to sandbox bypasses. For example, if it is used to allow access to/var/run/docker.sockthis would effectively grant access to the host system..."
However, in docs/en/agent-sdk/python.md (and the TypeScript equivalent), the Example usage for SandboxSettings provides the following code:
sandbox_settings: SandboxSettings = {
"enabled": True,
"autoAllowBashIfSandboxed": True,
"excludedCommands": ["docker"],
"network": {
"allowLocalBinding": True,
"allowUnixSockets": ["/var/run/docker.sock"]
}
}
What's Wrong or Missing?
There is a dangerous inconsistency between the security warnings and the implementation examples.
While the sandboxing.md file correctly identifies /var/run/docker.sock as a major privilege escalation risk that allows full host access, the SDK reference pages (python.md and typescript.md) use this exact path in their "copy-paste" examples without any inline warning.
Developers often copy-paste from "Example Usage" blocks without reading the full security limitations page. By providing this specific path as the default example, the documentation inadvertently encourages a high-risk configuration that bypasses the primary goals of the sandbox.
Suggested Improvement
Update the code examples in python.md and typescript.md to include a clear warning comment next to the sensitive Unix socket path.
Suggested Python Example:
sandbox_settings: SandboxSettings = {
"enabled": True,
"autoAllowBashIfSandboxed": True,
"excludedCommands": ["docker"],
"network": {
"allowLocalBinding": True,
# WARNING: Access to docker.sock allows full host access.
# Only use this in trusted, isolated environments.
"allowUnixSockets": ["/var/run/docker.sock"]
}
}
Suggested TypeScript Example:
sandbox: {
enabled: true,
autoAllowBashIfSandboxed: true,
excludedCommands: ["docker"],
network: {
allowLocalBinding: true,
// WARNING: Access to docker.sock allows full host access.
// Only use this in trusted, isolated environments.
allowUnixSockets: ["/var/run/docker.sock"]
}
}
Additionally, consider using a less sensitive example path (like a mock SSH agent socket) for general documentation, keeping the docker.sock mention specifically for the "Security Limitations" section.
Impact
High - Prevents users from using a feature
Additional Context
- Related Documentation:
sandboxing.md(Security Limitations). - Security Impact: Major. Providing an example that allows a complete sandbox escape to the host system without an inline warning is a significant security oversight for a tool designed to execute autonomous agentic code.
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗