fix(security): harden root file guards and host writes

2026-05-07 22:11:23 +00:00 · 2026-02-26 13:32:02 +01:00
parent 2ca2d5ab1c
commit e3385a6578
8 changed files with 387 additions and 81 deletions
--- a/src/agents/apply-patch.ts
+++ b/src/agents/apply-patch.ts
@@ -1,7 +1,10 @@
+import syncFs from "node:fs";
 import fs from "node:fs/promises";
 import path from "node:path";
 import type { AgentTool } from "@mariozechner/pi-agent-core";
 import { Type } from "@sinclair/typebox";
+import { openBoundaryFile, type BoundaryFileOpenResult } from "../infra/boundary-file-read.js";
+import { writeFileWithinRoot } from "../infra/fs-safe.js";
 import { PATH_ALIAS_POLICIES, type PathAliasPolicy } from "../infra/path-alias-guards.js";
 import { applyUpdateHunk } from "./apply-patch-update.js";
 import { assertSandboxPath, resolveSandboxInputPath } from "./sandbox-paths.js";
@@ -235,9 +238,37 @@ function resolvePatchFileOps(options: ApplyPatchOptions): PatchFileOps {
      mkdirp: (dir) => bridge.mkdirp({ filePath: dir, cwd: root }),
    };
  }
+  const workspaceOnly = options.workspaceOnly !== false;
  return {
-    readFile: (filePath) => fs.readFile(filePath, "utf8"),
-    writeFile: (filePath, content) => fs.writeFile(filePath, content, "utf8"),
+    readFile: async (filePath) => {
+      if (!workspaceOnly) {
+        return await fs.readFile(filePath, "utf8");
+      }
+      const opened = await openBoundaryFile({
+        absolutePath: filePath,
+        rootPath: options.cwd,
+        boundaryLabel: "workspace root",
+      });
+      assertBoundaryRead(opened, filePath);
+      try {
+        return syncFs.readFileSync(opened.fd, "utf8");
+      } finally {
+        syncFs.closeSync(opened.fd);
+      }
+    },
+    writeFile: async (filePath, content) => {
+      if (!workspaceOnly) {
+        await fs.writeFile(filePath, content, "utf8");
+        return;
+      }
+      const relative = toRelativeWorkspacePath(options.cwd, filePath);
+      await writeFileWithinRoot({
+        rootDir: options.cwd,
+        relativePath: relative,
+        data: content,
+        encoding: "utf8",
+      });
+    },
    remove: (filePath) => fs.rm(filePath),
    mkdirp: (dir) => fs.mkdir(dir, { recursive: true }).then(() => {}),
  };
@@ -298,6 +329,27 @@ function resolvePathFromCwd(filePath: string, cwd: string): string {
  return path.normalize(resolveSandboxInputPath(filePath, cwd));
 }

+function toRelativeWorkspacePath(workspaceRoot: string, absolutePath: string): string {
+  const rootResolved = path.resolve(workspaceRoot);
+  const resolved = path.resolve(absolutePath);
+  const relative = path.relative(rootResolved, resolved);
+  if (!relative || relative === "." || relative.startsWith("..") || path.isAbsolute(relative)) {
+    throw new Error(`Path escapes sandbox root (${workspaceRoot}): ${absolutePath}`);
+  }
+  return relative;
+}
+
+function assertBoundaryRead(
+  opened: BoundaryFileOpenResult,
+  targetPath: string,
+): asserts opened is Extract<BoundaryFileOpenResult, { ok: true }> {
+  if (opened.ok) {
+    return;
+  }
+  const reason = opened.reason === "validation" ? "unsafe path" : "path not found";
+  throw new Error(`Failed boundary read for ${targetPath} (${reason})`);
+}
+
 function toDisplayPath(resolved: string, cwd: string): string {
  const relative = path.relative(cwd, resolved);
  if (!relative || relative === "") {