fix: block broken-symlink sandbox path escapes

2026-05-04 09:40:21 +00:00 · 2026-02-26 13:19:48 +01:00
parent 8b5ebff67b
commit 4fd29a35bb
2 changed files with 112 additions and 0 deletions
--- a/src/agents/apply-patch.test.ts
+++ b/src/agents/apply-patch.test.ts
@@ -13,6 +13,15 @@ async function withTempDir<T>(fn: (dir: string) => Promise<T>) {
  }
 }

+async function withWorkspaceTempDir<T>(fn: (dir: string) => Promise<T>) {
+  const dir = await fs.mkdtemp(path.join(process.cwd(), "openclaw-patch-workspace-"));
+  try {
+    return await fn(dir);
+  } finally {
+    await fs.rm(dir, { recursive: true, force: true });
+  }
+}
+
 function buildAddFilePatch(targetPath: string): string {
  return `*** Begin Patch
 *** Add File: ${targetPath}
@@ -159,6 +168,33 @@ describe("applyPatch", () => {
    });
  });

+  it("rejects broken final symlink targets outside cwd by default", async () => {
+    if (process.platform === "win32") {
+      return;
+    }
+    await withWorkspaceTempDir(async (dir) => {
+      const outsideDir = path.join(path.dirname(dir), `outside-broken-link-${Date.now()}`);
+      const outsideFile = path.join(outsideDir, "owned.txt");
+      const linkPath = path.join(dir, "jump");
+      await fs.mkdir(outsideDir, { recursive: true });
+      await fs.symlink(outsideFile, linkPath);
+
+      const patch = `*** Begin Patch
+*** Add File: jump
+pwned
+*** End Patch`;
+
+      try {
+        await expect(applyPatch(patch, { cwd: dir })).rejects.toThrow(
+          /Symlink escapes sandbox root/,
+        );
+        await expect(fs.readFile(outsideFile, "utf8")).rejects.toBeDefined();
+      } finally {
+        await fs.rm(outsideDir, { recursive: true, force: true });
+      }
+    });
+  });
+
  it("rejects hardlink alias escapes by default", async () => {
    if (process.platform === "win32") {
      return;