github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 07:31:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(sandbox): block @-prefixed workspace path bypass

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-24 17:22:46 +00:00
parent f154926cc0
commit 9ef0fc2ff8
6 changed files with 58 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
src/agents/pi-tools.read.workspace-root-guard.test.ts
View File

@@ -61,6 +61,36 @@ describe("wrapToolWorkspaceRootGuardWithOptions", () => {
});
});
it("maps @-prefixed container workspace paths to host workspace root", async () => {
const { tool } = createToolHarness();
const wrapped = wrapToolWorkspaceRootGuardWithOptions(tool, root, {
containerWorkdir: "/workspace",
});
await wrapped.execute("tc-at-container", { path: "@/workspace/docs/readme.md" });
expect(mocks.assertSandboxPath).toHaveBeenCalledWith({
filePath: path.resolve(root, "docs", "readme.md"),
cwd: root,
root,
});
});
it("normalizes @-prefixed absolute paths before guard checks", async () => {
const { tool } = createToolHarness();
const wrapped = wrapToolWorkspaceRootGuardWithOptions(tool, root, {
containerWorkdir: "/workspace",
});
await wrapped.execute("tc-at-absolute", { path: "@/etc/passwd" });
expect(mocks.assertSandboxPath).toHaveBeenCalledWith({
filePath: "/etc/passwd",
cwd: root,
root,
});
});
it("does not remap absolute paths outside the configured container workdir", async () => {
const { tool } = createToolHarness();
const wrapped = wrapToolWorkspaceRootGuardWithOptions(tool, root, {