fix: detect tilde paths in restrictToWorkspace shell guard
_extract_absolute_paths() only matched paths starting with / or drive letters, missing ~ paths that expand to the home directory. This allowed agents to bypass restrictToWorkspace by using commands like cat ~/.nanobot/config.json to access files outside the workspace. Add tilde path extraction regex and use expanduser() before resolving. Also switch from manual parent-chain check to is_relative_to() for more robust path containment validation. Fixes #1817
This commit is contained in:
Nikolas de Hor
@@ -143,10 +143,10 @@ class ExecTool(Tool):
|
|||||||
|
|
||||||
for raw in self._extract_absolute_paths(cmd):
|
for raw in self._extract_absolute_paths(cmd):
|
||||||
try:
|
try:
|
||||||
p = Path(raw.strip()).resolve()
|
p = Path(raw.strip()).expanduser().resolve()
|
||||||
except Exception:
|
except Exception:
|
||||||
continue
|
continue
|
||||||
if p.is_absolute() and cwd_path not in p.parents and p != cwd_path:
|
if not p.is_relative_to(cwd_path):
|
||||||
return "Error: Command blocked by safety guard (path outside working dir)"
|
return "Error: Command blocked by safety guard (path outside working dir)"
|
||||||
|
|
||||||
return None
|
return None
|
||||||
@@ -155,4 +155,5 @@ class ExecTool(Tool):
|
|||||||
def _extract_absolute_paths(command: str) -> list[str]:
|
def _extract_absolute_paths(command: str) -> list[str]:
|
||||||
win_paths = re.findall(r"[A-Za-z]:\\[^\s\"'|><;]+", command) # Windows: C:\...
|
win_paths = re.findall(r"[A-Za-z]:\\[^\s\"'|><;]+", command) # Windows: C:\...
|
||||||
posix_paths = re.findall(r"(?:^|[\s|>])(/[^\s\"'>]+)", command) # POSIX: /absolute only
|
posix_paths = re.findall(r"(?:^|[\s|>])(/[^\s\"'>]+)", command) # POSIX: /absolute only
|
||||||
return win_paths + posix_paths
|
tilde_paths = re.findall(r"(?:^|[\s|>])(~[^\s\"'>]*)", command) # Tilde: ~/...
|
||||||
|
return win_paths + posix_paths + tilde_paths
|
||||||
|
|||||||
Reference in New Issue
Block a user