fix(media): allow os.tmpdir() paths in sandbox media source validation

resolveSandboxedMediaSource() rejected all paths outside the sandbox workspace root, including /tmp. This blocked sandboxed agents from sending locally-generated temp files (e.g. images from Python scripts) via messaging actions. Add an os.tmpdir() prefix check before the strict sandbox containment assertion, consistent with buildMediaLocalRoots() which already includes os.tmpdir() in its default allowlist. Path traversal through /tmp (e.g. /tmp/../etc/passwd) is prevented by path.resolve() normalization before the prefix check. Relates-to: #16382, #14174
2026-05-08 06:21:26 +00:00 · 2026-02-16 03:37:19 -05:00
parent 4cf5c3e109
commit 0bb81f7294
2 changed files with 55 additions and 3 deletions
--- a/src/agents/sandbox-paths.ts
+++ b/src/agents/sandbox-paths.ts
@@ -90,12 +90,18 @@ export async function resolveSandboxedMediaSource(params: {
      throw new Error(`Invalid file:// URL for sandboxed media: ${raw}`);
    }
  }
-  const resolved = await assertSandboxPath({
+  // Allow files under os.tmpdir() — consistent with buildMediaLocalRoots() defaults.
+  const resolved = path.resolve(params.sandboxRoot, candidate);
+  const tmpDir = os.tmpdir();
+  if (resolved === tmpDir || resolved.startsWith(tmpDir + path.sep)) {
+    return resolved;
+  }
+  const sandboxResult = await assertSandboxPath({
    filePath: candidate,
    cwd: params.sandboxRoot,
    root: params.sandboxRoot,
  });
-  return resolved.resolved;
+  return sandboxResult.resolved;
 }

 async function assertNoSymlinkEscape(