fix: confine write_file to sandbox home directory#249
Merged
unifiedh merged 1 commit intoConway-Research:mainfrom Mar 3, 2026
Merged
fix: confine write_file to sandbox home directory#249unifiedh merged 1 commit intoConway-Research:mainfrom
unifiedh merged 1 commit intoConway-Research:mainfrom
Conversation
Add path confinement to the write_file tool so agents cannot write files outside their sandbox home (/root). Previously, agents could write to arbitrary filesystem paths like /etc, /tmp, or /home, replacing important system files. Changes: - Add confinePathToSandbox() that resolves and validates file paths - Reject absolute paths outside /root - Prevent ../ traversal attacks via path.resolve normalization - Handle ~ expansion to sandbox home - Resolve relative paths against sandbox home - Keep existing isProtectedFile() as defense-in-depth - Update tests: use /root paths, add confinement test cases Closes Conway-Research#188
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #188 -- the
write_filetool had no path confinement, allowing agents to write files anywhere in the filesystem. Agents were writing to/root,/root/.automaton,/root/automaton, replacing important files and potentially escaping the sandbox.Changes
src/agent/tools.ts: AddedconfinePathToSandbox()function that validates file paths resolve within/root(the sandbox home). The write_file tool now:~paths to the sandbox home/root(e.g.,/etc/passwd,/tmp/evil.sh)../traversal attacks viapath.resolvenormalizationisProtectedFile()as defense-in-depthsrc/__tests__/tools-security.test.ts: Updated existing tests and added new test cases:write_file blocks paths outside sandbox home-- tests/etc/passwd,/tmp/evil.sh,../../etc/shadow, etc.write_file allows relative paths that resolve inside sandbox home-- verifiesproject/file.txtresolves to/root/project/file.txtwrite_file allows tilde paths within sandbox home-- verifies~/.automaton/skills/test/SKILL.mdworks correctlyTest plan
pnpm typecheckpassespnpm vitest run src/__tests__/tools-security.test.ts-- 71 tests pass (was 68, added 3 new)pnpm vitest run src/__tests__/path-protection.test.ts-- 26 tests passloop.test.ts > discover_agents(unrelated)