fix(security): block workspace hardlink alias escapes

src/agents/sandbox/fs-bridge.test.ts

@@ -195,6 +195,42 @@ describe("sandbox fs bridge shell compatibility", () => {
     await fs.rm(stateDir, { recursive: true, force: true });
   });
 
+  it("rejects pre-existing host hardlink escapes before docker exec", async () => {
+    if (process.platform === "win32") {
+      return;
+    }
+    const stateDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-fs-bridge-hardlink-"));
+    const workspaceDir = path.join(stateDir, "workspace");
+    const outsideDir = path.join(stateDir, "outside");
+    const outsideFile = path.join(outsideDir, "secret.txt");
+    await fs.mkdir(workspaceDir, { recursive: true });
+    await fs.mkdir(outsideDir, { recursive: true });
+    await fs.writeFile(outsideFile, "classified");
+    const hardlinkPath = path.join(workspaceDir, "link.txt");
+    try {
+      try {
+        await fs.link(outsideFile, hardlinkPath);
+      } catch (err) {
+        if ((err as NodeJS.ErrnoException).code === "EXDEV") {
+          return;
+        }
+        throw err;
+      }
+
+      const bridge = createSandboxFsBridge({
+        sandbox: createSandbox({
+          workspaceDir,
+          agentWorkspaceDir: workspaceDir,
+        }),
+      });
+
+      await expect(bridge.readFile({ filePath: "link.txt" })).rejects.toThrow(/hardlink|sandbox/i);
+      expect(mockedExecDockerRaw).not.toHaveBeenCalled();
+    } finally {
+      await fs.rm(stateDir, { recursive: true, force: true });
+    }
+  });
+
   it("rejects container-canonicalized paths outside allowed mounts", async () => {
     mockedExecDockerRaw.mockImplementation(async (args) => {
       const script = getDockerScript(args);

src/agents/sandbox/fs-bridge.ts

@@ -1,5 +1,6 @@
 import fs from "node:fs/promises";
 import path from "node:path";
+import { assertNoHardlinkedFinalPath } from "../../infra/hardlink-guards.js";
 import { isNotFoundPathError, isPathInside } from "../../infra/path-guards.js";
 import { execDockerRaw, type ExecDockerRawResult } from "./docker.js";
 import {
@@ -21,6 +22,7 @@ type RunCommandOptions = {
 type PathSafetyOptions = {
   action: string;
   allowFinalSymlink?: boolean;
+  allowFinalHardlink?: boolean;
   requireWritable?: boolean;
 };
 
@@ -151,6 +153,7 @@ class SandboxFsBridgeImpl implements SandboxFsBridge {
       action: "remove files",
       requireWritable: true,
       allowFinalSymlink: true,
+      allowFinalHardlink: true,
     });
     const flags = [params.force === false ? "" : "-f", params.recursive ? "-r" : ""].filter(
       Boolean,
@@ -176,6 +179,7 @@ class SandboxFsBridgeImpl implements SandboxFsBridge {
       action: "rename files",
       requireWritable: true,
       allowFinalSymlink: true,
+      allowFinalHardlink: true,
     });
     await this.assertPathSafety(to, {
       action: "rename files",
@@ -257,6 +261,12 @@ class SandboxFsBridgeImpl implements SandboxFsBridge {
       rootPath: lexicalMount.hostRoot,
       allowFinalSymlink: options.allowFinalSymlink === true,
     });
+    await assertNoHardlinkedFinalPath({
+      filePath: target.hostPath,
+      root: lexicalMount.hostRoot,
+      boundaryLabel: "sandbox mount root",
+      allowFinalHardlink: options.allowFinalHardlink === true,
+    });
 
     const canonicalContainerPath = await this.resolveCanonicalContainerPath({
       containerPath: target.containerPath,