github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-18 18:17:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(sandbox): allow mkdirp boundary check on existing directories

Browse Source
This commit is contained in:
User
2026-03-02 17:43:52 +08:00
committed by Peter Steinberger
parent 345abf0b20
commit 6135eb3353
1 changed files with 25 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
src/agents/sandbox/fs-bridge.ts
View File

@@ -267,11 +267,31 @@ class SandboxFsBridgeImpl implements SandboxFsBridge {
});
if (!guarded.ok) {
if (guarded.reason !== "path") {
throw guarded.error instanceof Error
? guarded.error
: new Error(
`Sandbox boundary checks failed; cannot ${options.action}: ${target.containerPath}`,
);
// mkdirp may legally target an already-existing directory. Keep a
// directory-only fallback so boundary checks remain strict for files
// while avoiding false negatives from file-oriented open validation.
if (options.allowedType === "directory") {
try {
const st = fs.statSync(target.hostPath);
if (!st.isDirectory()) {
throw new Error(
`Sandbox boundary checks failed; cannot ${options.action}: ${target.containerPath}`,
);
}
} catch {
throw guarded.error instanceof Error
? guarded.error
: new Error(
`Sandbox boundary checks failed; cannot ${options.action}: ${target.containerPath}`,
);
}
} else {
throw guarded.error instanceof Error
? guarded.error
: new Error(
`Sandbox boundary checks failed; cannot ${options.action}: ${target.containerPath}`,
);
}
}
} else {
fs.closeSync(guarded.fd);