No-images policy: refuse non-text fetches, drop image_search_tool

Agents in this build are text-only researchers. Image, audio, video,
and binary content has no role in the pipeline and only widens the
attack surface (server-side image fetches, exfiltration via rendered
img tags, etc). The cleanest answer is to never load it in the first
place rather than maintain a domain allowlist that nobody can keep
up to date.

- web_fetch_tool now uses httpx.AsyncClient.stream and inspects the
  Content-Type header BEFORE the body is read into memory. Only
  text/*, application/json, application/xml, application/xhtml+xml,
  application/ld+json, application/atom+xml, application/rss+xml are
  accepted; everything else (image/*, audio/*, video/*, octet-stream,
  pdf, font, missing header, ...) is refused with a wrap_untrusted
  error reply. The body bytes never enter the process for refused
  responses. Read budget is bounded to ~4x max_chars regardless.

- image_search_tool removed from deerflow.community.searx.tools
  (both the deer-flow runtime tree and the factory overlay). The
  function is gone, not stubbed — any tool.use referencing it will
  raise AttributeError at tool-loading time.

- config.yaml: image_search tool entry removed; the example
  allowed_tools list updated to drop image_search.

- HARDENING.md: new section 2.8 explains the policy and the frontend
  caveat (the LLM can still emit ![](url) markdown which the user's
  browser would render — that requires a separate frontend patch
  that is not yet implemented). Section 3.4 adds a verification
  snippet for the policy. The web_fetch entry in section 2.2 is
  updated to mention the streaming Content-Type gate.

Both source trees stay in sync.

deer-flow/backend/packages/harness/deerflow/community/searx/tools.py

@@ -1,7 +1,13 @@
-"""Hardened SearX web search, web fetch, and image search tools.
+"""Hardened SearX web search and web fetch tools.
 
 Every external response is sanitized and wrapped in security delimiters
 before being returned to the LLM. See deerflow.security for the pipeline.
+
+Image fetching is intentionally NOT supported. Agents in this build are
+text-only researchers; image_search_tool was removed and web_fetch_tool
+refuses any response whose Content-Type is not a textual media type. If
+you need an image-aware agent, add a dedicated tool with explicit user
+review — do not lift these restrictions in place.
 """
 
 from __future__ import annotations
@@ -20,6 +26,28 @@ DEFAULT_SEARX_URL = "http://localhost:8888"
 DEFAULT_TIMEOUT = 30.0
 DEFAULT_USER_AGENT = "DeerFlow-Hardened/1.0 (+searx)"
 
+# Allowed Content-Type prefixes for web_fetch responses. Anything else
+# (image/*, audio/*, video/*, application/octet-stream, font/*, ...) is
+# rejected before its body is read into memory.
+ALLOWED_CONTENT_TYPE_PREFIXES = (
+    "text/",
+    "application/json",
+    "application/xml",
+    "application/xhtml+xml",
+    "application/ld+json",
+    "application/atom+xml",
+    "application/rss+xml",
+)
+
+
+def _is_text_content_type(header_value: str) -> bool:
+    """True if the Content-Type header is a textual media type we're willing to read."""
+    if not header_value:
+        # No header at all → refuse: we don't speculate.
+        return False
+    media = header_value.split(";", 1)[0].strip().lower()
+    return any(media == prefix.rstrip("/") or media.startswith(prefix) for prefix in ALLOWED_CONTENT_TYPE_PREFIXES)
+
 
 def _tool_extra(name: str) -> dict:
     """Read the model_extra dict for a tool config entry, defensively."""
@@ -88,6 +116,10 @@ def web_search_tool(query: str, max_results: int = 10) -> str:
 async def web_fetch_tool(url: str, max_chars: int = 10000) -> str:
     """Fetch a web page and return sanitized visible text.
 
+    Only textual responses are accepted (text/html, application/json, ...).
+    Image, audio, video, and binary responses are refused before the body
+    is read into memory — this build is text-only by policy.
+
     Dangerous HTML elements (script, style, iframe, form, ...) are stripped,
     invisible Unicode is removed, and the result is wrapped in security markers.
     Only call this for URLs returned by web_search or supplied directly by the
@@ -106,9 +138,29 @@ async def web_fetch_tool(url: str, max_chars: int = 10000) -> str:
             headers={"User-Agent": DEFAULT_USER_AGENT},
             follow_redirects=True,
         ) as client:
-            response = await client.get(url, timeout=DEFAULT_TIMEOUT)
-            response.raise_for_status()
-            html = response.text
+            # Stream so we can inspect headers BEFORE reading the body.
+            # Refuses image/audio/video/binary responses without ever
+            # touching their bytes.
+            async with client.stream("GET", url, timeout=DEFAULT_TIMEOUT) as response:
+                response.raise_for_status()
+                content_type = response.headers.get("content-type", "")
+                if not _is_text_content_type(content_type):
+                    return wrap_untrusted_content(
+                        {
+                            "error": "Refused: non-text response (this build does not fetch images, audio, video or binary content).",
+                            "url": url,
+                            "content_type": content_type or "<missing>",
+                        }
+                    )
+                # Read at most ~4x the char limit in bytes to bound memory.
+                # extract_secure_text + sanitizer will trim further.
+                max_bytes = max(4096, limit * 4)
+                buf = bytearray()
+                async for chunk in response.aiter_bytes():
+                    buf.extend(chunk)
+                    if len(buf) >= max_bytes:
+                        break
+                html = buf.decode(response.encoding or "utf-8", errors="replace")
     except Exception as exc:
         return wrap_untrusted_content({"error": f"Fetch failed: {exc}", "url": url})
 
@@ -117,44 +169,9 @@ async def web_fetch_tool(url: str, max_chars: int = 10000) -> str:
     return wrap_untrusted_content({"url": url, "content": clean_text})
 
 
-@tool("image_search", parse_docstring=True)
-def image_search_tool(query: str, max_results: int = 5) -> str:
-    """Search for images via the private hardened SearX instance.
-
-    Returns sanitized title/url pairs (no inline image data). Wrapped in
-    security delimiters.
-
-    Args:
-        query: Image search keywords.
-        max_results: Maximum number of images to return.
-    """
-    extra = _tool_extra("image_search")
-    cap = int(extra.get("max_results", 5))
-    searx_url = extra.get("searx_url", _searx_url("web_search"))
-    limit = max(1, min(int(max_results), cap))
-
-    try:
-        data = _http_get(
-            f"{searx_url}/search",
-            {"q": quote(query), "format": "json", "categories": "images"},
-        )
-    except Exception as exc:
-        return wrap_untrusted_content({"error": f"Image search failed: {exc}"})
-
-    results = []
-    for item in data.get("results", [])[:limit]:
-        results.append(
-            {
-                "title": sanitizer.sanitize(item.get("title", ""), max_length=200),
-                "url": item.get("url", ""),
-                "thumbnail": item.get("thumbnail_src") or item.get("img_src", ""),
-            }
-        )
-
-    return wrap_untrusted_content(
-        {
-            "query": query,
-            "total_results": len(results),
-            "results": results,
-        }
-    )
+# image_search_tool was intentionally removed in this hardened build.
+# Agents are text-only researchers; image fetching has no business in the
+# pipeline and only widens the attack surface (data exfiltration via
+# rendered <img> tags, server-side image content, ...). If you need to
+# bring it back, build a separate tool with explicit user-side allowlist
+# and a render-side proxy — do not just paste the old function back.