fix(security): default apply_patch workspace containment

src/agents/apply-patch.e2e.test.ts

@@ -71,9 +71,12 @@ describe("applyPatch", () => {
     });
   });
 
-  it("rejects path traversal outside cwd", async () => {
+  it("rejects path traversal outside cwd by default", async () => {
     await withTempDir(async (dir) => {
-      const escapedPath = path.join(path.dirname(dir), "escaped.txt");
+      const escapedPath = path.join(
+        path.dirname(dir),
+        `escaped-${process.pid}-${Date.now()}-${Math.random().toString(16).slice(2)}.txt`,
+      );
       const relativeEscape = path.relative(dir, escapedPath);
 
       const patch = `*** Begin Patch
@@ -81,14 +84,16 @@ describe("applyPatch", () => {
 +escaped
 *** End Patch`;
 
-      await expect(applyPatch(patch, { cwd: dir, workspaceOnly: true })).rejects.toThrow(
-        /Path escapes sandbox root/,
-      );
-      await expect(fs.readFile(escapedPath, "utf8")).rejects.toBeDefined();
+      try {
+        await expect(applyPatch(patch, { cwd: dir })).rejects.toThrow(/Path escapes sandbox root/);
+        await expect(fs.readFile(escapedPath, "utf8")).rejects.toBeDefined();
+      } finally {
+        await fs.rm(escapedPath, { force: true });
+      }
     });
   });
 
-  it("rejects absolute paths outside cwd", async () => {
+  it("rejects absolute paths outside cwd by default", async () => {
     await withTempDir(async (dir) => {
       const escapedPath = path.join(os.tmpdir(), `openclaw-apply-patch-${Date.now()}.txt`);
 
@@ -98,9 +103,7 @@ describe("applyPatch", () => {
 *** End Patch`;
 
       try {
-        await expect(applyPatch(patch, { cwd: dir, workspaceOnly: true })).rejects.toThrow(
-          /Path escapes sandbox root/,
-        );
+        await expect(applyPatch(patch, { cwd: dir })).rejects.toThrow(/Path escapes sandbox root/);
         await expect(fs.readFile(escapedPath, "utf8")).rejects.toBeDefined();
       } finally {
         await fs.rm(escapedPath, { force: true });
@@ -108,7 +111,7 @@ describe("applyPatch", () => {
     });
   });
 
-  it("allows absolute paths within cwd", async () => {
+  it("allows absolute paths within cwd by default", async () => {
     await withTempDir(async (dir) => {
       const target = path.join(dir, "nested", "inside.txt");
       const patch = `*** Begin Patch
@@ -116,13 +119,13 @@ describe("applyPatch", () => {
 +inside
 *** End Patch`;
 
-      await applyPatch(patch, { cwd: dir, workspaceOnly: true });
+      await applyPatch(patch, { cwd: dir });
       const contents = await fs.readFile(target, "utf8");
       expect(contents).toBe("inside\n");
     });
   });
 
-  it("rejects symlink escape attempts", async () => {
+  it("rejects symlink escape attempts by default", async () => {
     await withTempDir(async (dir) => {
       const outside = path.join(path.dirname(dir), "outside-target.txt");
       const linkPath = path.join(dir, "link.txt");
@@ -136,16 +139,14 @@ describe("applyPatch", () => {
 +pwned
 *** End Patch`;
 
-      await expect(applyPatch(patch, { cwd: dir, workspaceOnly: true })).rejects.toThrow(
-        /Symlink escapes sandbox root/,
-      );
+      await expect(applyPatch(patch, { cwd: dir })).rejects.toThrow(/Symlink escapes sandbox root/);
       const outsideContents = await fs.readFile(outside, "utf8");
       expect(outsideContents).toBe("initial\n");
       await fs.rm(outside, { force: true });
     });
   });
 
-  it("allows symlinks that resolve within cwd", async () => {
+  it("allows symlinks that resolve within cwd by default", async () => {
     await withTempDir(async (dir) => {
       const target = path.join(dir, "target.txt");
       const linkPath = path.join(dir, "link.txt");
@@ -159,9 +160,60 @@ describe("applyPatch", () => {
 +updated
 *** End Patch`;
 
-      await applyPatch(patch, { cwd: dir, workspaceOnly: true });
+      await applyPatch(patch, { cwd: dir });
       const contents = await fs.readFile(target, "utf8");
       expect(contents).toBe("updated\n");
     });
   });
+
+  it("rejects delete path traversal via symlink directories by default", async () => {
+    await withTempDir(async (dir) => {
+      const outsideDir = path.join(path.dirname(dir), `outside-dir-${process.pid}-${Date.now()}`);
+      const outsideFile = path.join(outsideDir, "victim.txt");
+      await fs.mkdir(outsideDir, { recursive: true });
+      await fs.writeFile(outsideFile, "victim\n", "utf8");
+
+      const linkDir = path.join(dir, "linkdir");
+      await fs.symlink(outsideDir, linkDir);
+
+      const patch = `*** Begin Patch
+*** Delete File: linkdir/victim.txt
+*** End Patch`;
+
+      try {
+        await expect(applyPatch(patch, { cwd: dir })).rejects.toThrow(
+          /Symlink escapes sandbox root/,
+        );
+        const stillThere = await fs.readFile(outsideFile, "utf8");
+        expect(stillThere).toBe("victim\n");
+      } finally {
+        await fs.rm(outsideFile, { force: true });
+        await fs.rm(outsideDir, { recursive: true, force: true });
+      }
+    });
+  });
+
+  it("allows path traversal when workspaceOnly is explicitly disabled", async () => {
+    await withTempDir(async (dir) => {
+      const escapedPath = path.join(
+        path.dirname(dir),
+        `escaped-allow-${process.pid}-${Date.now()}-${Math.random().toString(16).slice(2)}.txt`,
+      );
+      const relativeEscape = path.relative(dir, escapedPath);
+
+      const patch = `*** Begin Patch
+*** Add File: ${relativeEscape}
++escaped
+*** End Patch`;
+
+      try {
+        const result = await applyPatch(patch, { cwd: dir, workspaceOnly: false });
+        expect(result.summary.added.length).toBe(1);
+        const contents = await fs.readFile(escapedPath, "utf8");
+        expect(contents).toBe("escaped\n");
+      } finally {
+        await fs.rm(escapedPath, { force: true });
+      }
+    });
+  });
 });