github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-11 02:44:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: tighten sandbox mkdirp boundary checks (#30610) (thanks @glitch418x)

Browse Source
This commit is contained in:
Agent
2026-03-01 21:41:24 +00:00
committed by Peter Steinberger
parent 687f5779d1
commit 3be1343e00
6 changed files with 40 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/agents/sandbox/fs-bridge.ts
View File

@@ -24,7 +24,7 @@ type PathSafetyOptions = {
aliasPolicy?: PathAliasPolicy;
requireWritable?: boolean;
allowMissingTarget?: boolean;
allowedTypes?: readonly SafeOpenSyncAllowedType[];
allowedType?: SafeOpenSyncAllowedType;
};
export type SandboxResolvedPath = {
@@ -137,7 +137,7 @@ class SandboxFsBridgeImpl implements SandboxFsBridge {
await this.assertPathSafety(target, {
action: "create directories",
requireWritable: true,
allowedTypes: ["directory"],
allowedType: "directory",
});
await this.runCommand('set -eu; mkdir -p -- "$1"', {
args: [target.containerPath],
@@ -264,7 +264,7 @@ class SandboxFsBridgeImpl implements SandboxFsBridge {
rootPath: lexicalMount.hostRoot,
boundaryLabel: "sandbox mount root",
aliasPolicy: options.aliasPolicy,
allowedTypes: options.allowedTypes,
allowedType: options.allowedType,
});
if (!guarded.ok) {
if (guarded.reason !== "path" || options.allowMissingTarget === false) {