Security: harden sandboxed media handling (#9182)

* Message: enforce sandbox for media param * fix: harden sandboxed media handling (#8780) (thanks @victormier) * chore: format message action runner (#8780) (thanks @victormier) --------- Co-authored-by: Victor Mier <victormier@gmail.com>
2026-05-08 09:41:24 +00:00 · 2026-02-04 19:11:23 -05:00
parent 5e025c4ba3
commit 4434cae565
6 changed files with 278 additions and 80 deletions
--- a/src/agents/sandbox-paths.ts
+++ b/src/agents/sandbox-paths.ts
@@ -1,8 +1,11 @@
 import fs from "node:fs/promises";
 import os from "node:os";
 import path from "node:path";
+import { fileURLToPath } from "node:url";

 const UNICODE_SPACES = /[\u00A0\u2000-\u200A\u202F\u205F\u3000]/g;
+const HTTP_URL_RE = /^https?:\/\//i;
+const DATA_URL_RE = /^data:/i;

 function normalizeUnicodeSpaces(str: string): string {
  return str.replace(UNICODE_SPACES, " ");
@@ -49,6 +52,40 @@ export async function assertSandboxPath(params: { filePath: string; cwd: string;
  return resolved;
 }

+export function assertMediaNotDataUrl(media: string): void {
+  const raw = media.trim();
+  if (DATA_URL_RE.test(raw)) {
+    throw new Error("data: URLs are not supported for media. Use buffer instead.");
+  }
+}
+
+export async function resolveSandboxedMediaSource(params: {
+  media: string;
+  sandboxRoot: string;
+}): Promise<string> {
+  const raw = params.media.trim();
+  if (!raw) {
+    return raw;
+  }
+  if (HTTP_URL_RE.test(raw)) {
+    return raw;
+  }
+  let candidate = raw;
+  if (/^file:\/\//i.test(candidate)) {
+    try {
+      candidate = fileURLToPath(candidate);
+    } catch {
+      throw new Error(`Invalid file:// URL for sandboxed media: ${raw}`);
+    }
+  }
+  const resolved = await assertSandboxPath({
+    filePath: candidate,
+    cwd: params.sandboxRoot,
+    root: params.sandboxRoot,
+  });
+  return resolved.resolved;
+}
+
 async function assertNoSymlink(relative: string, root: string) {
  if (!relative) {
    return;
--- a/src/agents/tools/message-tool.test.ts
+++ b/src/agents/tools/message-tool.test.ts
@@ -1,6 +1,3 @@
-import fs from "node:fs/promises";
-import os from "node:os";
-import path from "node:path";
 import { describe, expect, it, vi } from "vitest";
 import type { ChannelPlugin } from "../../channels/plugins/types.js";
 import type { MessageActionRunResult } from "../../infra/outbound/message-action-runner.js";
@@ -165,50 +162,8 @@ describe("message tool description", () => {
  });
 });

-describe("message tool sandbox path validation", () => {
-  it("rejects filePath that escapes sandbox root", async () => {
-    const sandboxDir = await fs.mkdtemp(path.join(os.tmpdir(), "msg-sandbox-"));
-    try {
-      const tool = createMessageTool({
-        config: {} as never,
-        sandboxRoot: sandboxDir,
-      });
-
-      await expect(
-        tool.execute("1", {
-          action: "send",
-          target: "telegram:123",
-          filePath: "/etc/passwd",
-          message: "",
-        }),
-      ).rejects.toThrow(/sandbox/i);
-    } finally {
-      await fs.rm(sandboxDir, { recursive: true, force: true });
-    }
-  });
-
-  it("rejects path param with traversal sequence", async () => {
-    const sandboxDir = await fs.mkdtemp(path.join(os.tmpdir(), "msg-sandbox-"));
-    try {
-      const tool = createMessageTool({
-        config: {} as never,
-        sandboxRoot: sandboxDir,
-      });
-
-      await expect(
-        tool.execute("1", {
-          action: "send",
-          target: "telegram:123",
-          path: "../../../etc/shadow",
-          message: "",
-        }),
-      ).rejects.toThrow(/sandbox/i);
-    } finally {
-      await fs.rm(sandboxDir, { recursive: true, force: true });
-    }
-  });
-
-  it("allows filePath inside sandbox root", async () => {
+describe("message tool sandbox passthrough", () => {
+  it("forwards sandboxRoot to runMessageAction", async () => {
    mocks.runMessageAction.mockClear();
    mocks.runMessageAction.mockResolvedValue({
      kind: "send",
@@ -220,27 +175,22 @@ describe("message tool sandbox path validation", () => {
      dryRun: true,
    } satisfies MessageActionRunResult);

-    const sandboxDir = await fs.mkdtemp(path.join(os.tmpdir(), "msg-sandbox-"));
-    try {
-      const tool = createMessageTool({
-        config: {} as never,
-        sandboxRoot: sandboxDir,
-      });
+    const tool = createMessageTool({
+      config: {} as never,
+      sandboxRoot: "/tmp/sandbox",
+    });

-      await tool.execute("1", {
-        action: "send",
-        target: "telegram:123",
-        filePath: "./data/file.txt",
-        message: "",
-      });
+    await tool.execute("1", {
+      action: "send",
+      target: "telegram:123",
+      message: "",
+    });

-      expect(mocks.runMessageAction).toHaveBeenCalledTimes(1);
-    } finally {
-      await fs.rm(sandboxDir, { recursive: true, force: true });
-    }
+    const call = mocks.runMessageAction.mock.calls[0]?.[0];
+    expect(call?.sandboxRoot).toBe("/tmp/sandbox");
  });

-  it("skips validation when no sandboxRoot is set", async () => {
+  it("omits sandboxRoot when not configured", async () => {
    mocks.runMessageAction.mockClear();
    mocks.runMessageAction.mockResolvedValue({
      kind: "send",
@@ -259,11 +209,10 @@ describe("message tool sandbox path validation", () => {
    await tool.execute("1", {
      action: "send",
      target: "telegram:123",
-      filePath: "/etc/passwd",
      message: "",
    });

-    // Without sandboxRoot the validation is skipped — unsandboxed sessions work normally.
-    expect(mocks.runMessageAction).toHaveBeenCalledTimes(1);
+    const call = mocks.runMessageAction.mock.calls[0]?.[0];
+    expect(call?.sandboxRoot).toBeUndefined();
  });
 });
--- a/src/agents/tools/message-tool.ts
+++ b/src/agents/tools/message-tool.ts
@@ -19,7 +19,6 @@ import { normalizeAccountId } from "../../routing/session-key.js";
 import { normalizeMessageChannel } from "../../utils/message-channel.js";
 import { resolveSessionAgentId } from "../agent-scope.js";
 import { listChannelSupportedActions } from "../channel-tools.js";
-import { assertSandboxPath } from "../sandbox-paths.js";
 import { channelTargetSchema, channelTargetsSchema, stringEnum } from "../schema/typebox.js";
 import { jsonResult, readNumberParam, readStringParam } from "./common.js";

@@ -422,17 +421,6 @@ export function createMessageTool(options?: MessageToolOptions): AnyAgentTool {
        }
      }

-      // Validate file paths against sandbox root to prevent host file access.
-      const sandboxRoot = options?.sandboxRoot;
-      if (sandboxRoot) {
-        for (const key of ["filePath", "path"] as const) {
-          const raw = readStringParam(params, key, { trim: false });
-          if (raw) {
-            await assertSandboxPath({ filePath: raw, cwd: sandboxRoot, root: sandboxRoot });
-          }
-        }
-      }
-
      const accountId = readStringParam(params, "accountId") ?? agentAccountId;
      if (accountId) {
        params.accountId = accountId;
@@ -475,6 +463,7 @@ export function createMessageTool(options?: MessageToolOptions): AnyAgentTool {
        agentId: options?.agentSessionKey
          ? resolveSessionAgentId({ sessionKey: options.agentSessionKey, config: cfg })
          : undefined,
+        sandboxRoot: options?.sandboxRoot,
        abortSignal: signal,
      });