From a102b087438c0424ce32a47177b7e16132aa24df Mon Sep 17 00:00:00 2001
From: Conrad Irwin <conrad.irwin@gmail.com>
Date: Mon, 25 Aug 2025 10:03:07 -0600
Subject: [PATCH] Require confirmation for fetch tool (#36881)

Using prompt injection, the agent may be tricked into making a fetch
request that includes unexpected data from the conversation in the URL.

As agent conversations may contain sensitive information (like private
code, or
potentially even API keys), this seems bad.

The easiest way to prevent this is to require the user to look at the
URL
before the model is allowed to fetch it.

Thanks to @ant4g0nist for bringing this to our attention.

Release Notes:

- agent panel: The fetch tool now requires confirmation.
---
 crates/agent2/src/tools/fetch_tool.rs    | 9 +++++++--
 crates/assistant_tools/src/fetch_tool.rs | 2 +-
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/crates/agent2/src/tools/fetch_tool.rs b/crates/agent2/src/tools/fetch_tool.rs
index 0313c4e4c2f03a2ec40afdf9325ca2c84c45cf3c..dd97271a799d11daf09e95147c18ab07d55e1caf 100644
--- a/crates/agent2/src/tools/fetch_tool.rs
+++ b/crates/agent2/src/tools/fetch_tool.rs
@@ -136,12 +136,17 @@ impl AgentTool for FetchTool {
     fn run(
         self: Arc<Self>,
         input: Self::Input,
-        _event_stream: ToolCallEventStream,
+        event_stream: ToolCallEventStream,
         cx: &mut App,
     ) -> Task<Result<Self::Output>> {
+        let authorize = event_stream.authorize(input.url.clone(), cx);
+
         let text = cx.background_spawn({
             let http_client = self.http_client.clone();
-            async move { Self::build_message(http_client, &input.url).await }
+            async move {
+                authorize.await?;
+                Self::build_message(http_client, &input.url).await
+            }
         });
 
         cx.foreground_executor().spawn(async move {
diff --git a/crates/assistant_tools/src/fetch_tool.rs b/crates/assistant_tools/src/fetch_tool.rs
index 79e205f205d02ba2a3f977163d2296423f71d9da..cc22c9fc09f73914720c4b639f8d273207d7ca53 100644
--- a/crates/assistant_tools/src/fetch_tool.rs
+++ b/crates/assistant_tools/src/fetch_tool.rs
@@ -118,7 +118,7 @@ impl Tool for FetchTool {
     }
 
     fn needs_confirmation(&self, _: &serde_json::Value, _: &Entity<Project>, _: &App) -> bool {
-        false
+        true
     }
 
     fn may_perform_edits(&self) -> bool {