Harden sandbox bundle upload paths

[resolvicomai]

Description

Validate sandbox bundle member paths before building the tar archive and quote remote extraction paths before passing them through the sandbox shell command. This prevents traversal entries from reaching the uploaded archive and keeps destination/archive paths with shell metacharacters literal.

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Test improvement

Testing

• All existing tests pass when running uv run pytest locally.
• New tests have been added to cover the changes

Focused checks run:

• uv run pytest -q tests/test_sandbox_mixin.py
• uv run ruff check verifiers/envs/experimental/sandbox_mixin.py tests/test_sandbox_mixin.py
• python3 -m py_compile verifiers/envs/experimental/sandbox_mixin.py tests/test_sandbox_mixin.py
• git diff --check
• UV_FROZEN=1 git commit ... pre-commit hooks: ruff check, ruff format, Semgrep v1 policy, generated AGENTS/CLAUDE check
• UV_FROZEN=1 git push ... pre-push hooks: ruff check, ruff format, Semgrep v1 policy, generated AGENTS/CLAUDE check, ty

Checklist

• My code follows the style guidelines of this project as outlined in AGENTS.md
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• Any dependent changes have been merged and published

Additional Notes

No docs update needed; this only hardens existing sandbox bundle upload behavior.

---

Note

Medium Risk
Touches sandbox file upload/extraction by adding path validation and stronger shell quoting; low surface-area change but could break callers relying on previously-accepted paths or unusual destination strings.

Overview
Hardens SandboxMixin.upload_bundle by validating tar member paths to reject absolute paths, .. traversal, and empty/. entries before building the archive.

Improves remote extraction safety by quoting dest_dir and archive paths via shlex.quote and embedding the Python extract snippet as a single quoted script, preventing spaces/metacharacters from being interpreted by the sandbox shell.

Adds tests ensuring traversal paths are rejected (with no upload/exec attempted) and that remote commands correctly quote destinations containing spaces.

^{Reviewed by Cursor Bugbot for commit 7607805. Bugbot is set up for automated code reviews on this repo. Configure here.}

Note

Harden SandboxMixin.upload_bundle against path traversal and unquoted shell paths

• Adds a _bundle_member_name helper in sandbox_mixin.py that validates bundle member names, raising ValueError for absolute paths, .. segments, or empty/. paths, and returns a normalized POSIX path.
• upload_bundle now validates all file_map keys via _bundle_member_name before any upload or remote command is executed.
• Remote shell commands for mkdir, extraction, and rm now use shlex.quote to correctly handle dest_dir and archive paths containing spaces or special characters.
• Behavioral Change: upload_bundle now raises ValueError on unsafe bundle keys instead of silently proceeding.

^{Macroscope summarized 7607805.}