github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 09:11:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(sandbox): block @-prefixed workspace path bypass

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-24 17:22:46 +00:00
parent f154926cc0
commit 9ef0fc2ff8
6 changed files with 58 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/agents/sandbox-paths.ts
View File

@@ -13,8 +13,12 @@ function normalizeUnicodeSpaces(str: string): string {
return str.replace(UNICODE_SPACES, " ");
}
function normalizeAtPrefix(filePath: string): string {
return filePath.startsWith("@") ? filePath.slice(1) : filePath;
}
function expandPath(filePath: string): string {
const normalized = normalizeUnicodeSpaces(filePath);
const normalized = normalizeUnicodeSpaces(normalizeAtPrefix(filePath));
if (normalized === "~") {
return os.homedir();
}