github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-13 18:46:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: harden boundary-path canonical alias handling

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-26 13:43:23 +01:00
parent 4b71de384c
commit 1aef45bc06
3 changed files with 52 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
src/infra/boundary-path.ts
View File

@@ -53,8 +53,16 @@ export async function resolveBoundaryPath(
? path.resolve(params.rootCanonicalPath)
: await resolvePathViaExistingAncestor(rootPath);
const lexicalInside = isPathInside(rootPath, absolutePath);
const outsideLexicalCanonicalPath = lexicalInside
? undefined
: await resolvePathViaExistingAncestor(absolutePath);
const canonicalOutsideLexicalPath = outsideLexicalCanonicalPath ?? absolutePath;
if (!params.skipLexicalRootCheck && !lexicalInside) {
if (
!params.skipLexicalRootCheck &&
!lexicalInside &&
!isPathInside(rootCanonicalPath, canonicalOutsideLexicalPath)
) {
throw pathEscapeError({
boundaryLabel: params.boundaryLabel,
rootPath,
@@ -63,7 +71,7 @@ export async function resolveBoundaryPath(
}
if (!lexicalInside) {
const canonicalPath = await resolvePathViaExistingAncestor(absolutePath);
const canonicalPath = canonicalOutsideLexicalPath;
assertInsideBoundary({
boundaryLabel: params.boundaryLabel,
rootCanonicalPath,
@@ -97,8 +105,16 @@ export function resolveBoundaryPathSync(params: ResolveBoundaryPathParams): Reso
? path.resolve(params.rootCanonicalPath)
: resolvePathViaExistingAncestorSync(rootPath);
const lexicalInside = isPathInside(rootPath, absolutePath);
const outsideLexicalCanonicalPath = lexicalInside
? undefined
: resolvePathViaExistingAncestorSync(absolutePath);
const canonicalOutsideLexicalPath = outsideLexicalCanonicalPath ?? absolutePath;
if (!params.skipLexicalRootCheck && !lexicalInside) {
if (
!params.skipLexicalRootCheck &&
!lexicalInside &&
!isPathInside(rootCanonicalPath, canonicalOutsideLexicalPath)
) {
throw pathEscapeError({
boundaryLabel: params.boundaryLabel,
rootPath,
@@ -107,7 +123,7 @@ export function resolveBoundaryPathSync(params: ResolveBoundaryPathParams): Reso
}
if (!lexicalInside) {
const canonicalPath = resolvePathViaExistingAncestorSync(absolutePath);
const canonicalPath = canonicalOutsideLexicalPath;
assertInsideBoundary({
boundaryLabel: params.boundaryLabel,
rootCanonicalPath,