github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-10 09:12:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: harden workspace boundary path resolution

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-26 13:19:55 +01:00
parent ecb2053fdd
commit 46eba86b45
8 changed files with 767 additions and 177 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
src/agents/sandbox-paths.test.ts
View File

@@ -195,6 +195,26 @@ describe("resolveSandboxedMediaSource", () => {
});
});
it("rejects sandbox symlink escapes when the outside leaf does not exist yet", async () => {
if (process.platform === "win32") {
return;
}
await withSandboxRoot(async (sandboxDir) => {
const outsideDir = await fs.mkdtemp(
path.join(process.cwd(), "sandbox-media-outside-missing-"),
);
const linkDir = path.join(sandboxDir, "escape-link");
await fs.symlink(outsideDir, linkDir);
try {
const missingOutsidePath = path.join(linkDir, "new-file.txt");
await expectSandboxRejection(missingOutsidePath, sandboxDir, /symlink|sandbox/i);
} finally {
await fs.rm(linkDir, { force: true });
await fs.rm(outsideDir, { recursive: true, force: true });
}
});
});
it("rejects hardlinked OpenClaw tmp paths to outside files", async () => {
if (process.platform === "win32") {
return;