github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-10 12:44:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(sandbox): block @-prefixed workspace path bypass

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-24 17:22:46 +00:00
parent f154926cc0
commit 9ef0fc2ff8
6 changed files with 58 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/agents/pi-tools.workspace-paths.test.ts
View File

@@ -2,6 +2,7 @@ import fs from "node:fs/promises";
import os from "node:os";
import path from "node:path";
import { describe, expect, it, vi } from "vitest";
import type { OpenClawConfig } from "../config/config.js";
import { createOpenClawCodingTools } from "./pi-tools.js";
import { createHostSandboxFsBridge } from "./test-helpers/host-sandbox-fs-bridge.js";
import { expectReadWriteEditTools, getTextContent } from "./test-helpers/pi-tools-fs-helpers.js";
@@ -137,6 +138,19 @@ describe("workspace path resolution", () => {
});
});
});
it("rejects @-prefixed absolute paths outside workspace when workspaceOnly is enabled", async () => {
await withTempDir("openclaw-ws-", async (workspaceDir) => {
const cfg: OpenClawConfig = { tools: { fs: { workspaceOnly: true } } };
const tools = createOpenClawCodingTools({ workspaceDir, config: cfg });
const { readTool } = expectReadWriteEditTools(tools);
const outsideAbsolute = path.resolve(path.parse(workspaceDir).root, "outside-openclaw.txt");
await expect(
readTool.execute("ws-read-at-prefix", { path: `@${outsideAbsolute}` }),
).rejects.toThrow(/Path escapes sandbox root/i);
});
});
});
describe("sandboxed workspace paths", () => {