feat(sandbox): harden local file access and mask host paths

- enforce local sandbox file tools to only accept /mnt/user-data paths - add path traversal checks against thread workspace/uploads/outputs roots - preserve requested virtual paths in tool error messages (no host path leaks) - mask local absolute paths in bash output back to virtual sandbox paths - update bash tool guidance to prefer thread-local venv + python -m pip - add regression tests for path mapping, masking, and access restrictions Fixes #968
2026-04-19 20:34:45 +08:00 · 2026-03-05 22:07:45 +08:00
parent 0c7c96d75e
commit 34e3f5c9d4
2 changed files with 188 additions and 40 deletions
--- a/backend/tests/test_sandbox_tools_security.py
+++ b/backend/tests/test_sandbox_tools_security.py
@@ -0,0 +1,58 @@
+from pathlib import Path
+
+import pytest
+
+from src.sandbox.tools import (
+    VIRTUAL_PATH_PREFIX,
+    mask_local_paths_in_output,
+    replace_virtual_path,
+    resolve_local_tool_path,
+)
+
+
+def test_replace_virtual_path_maps_virtual_root_and_subpaths() -> None:
+    thread_data = {
+        "workspace_path": "/tmp/deer-flow/threads/t1/user-data/workspace",
+        "uploads_path": "/tmp/deer-flow/threads/t1/user-data/uploads",
+        "outputs_path": "/tmp/deer-flow/threads/t1/user-data/outputs",
+    }
+
+    assert replace_virtual_path("/mnt/user-data/workspace/a.txt", thread_data) == "/tmp/deer-flow/threads/t1/user-data/workspace/a.txt"
+    assert replace_virtual_path("/mnt/user-data", thread_data) == "/tmp/deer-flow/threads/t1/user-data"
+
+
+def test_mask_local_paths_in_output_hides_host_paths() -> None:
+    thread_data = {
+        "workspace_path": "/tmp/deer-flow/threads/t1/user-data/workspace",
+        "uploads_path": "/tmp/deer-flow/threads/t1/user-data/uploads",
+        "outputs_path": "/tmp/deer-flow/threads/t1/user-data/outputs",
+    }
+
+    output = "Created: /tmp/deer-flow/threads/t1/user-data/workspace/result.txt"
+    masked = mask_local_paths_in_output(output, thread_data)
+
+    assert "/tmp/deer-flow/threads/t1/user-data" not in masked
+    assert "/mnt/user-data/workspace/result.txt" in masked
+
+
+def test_resolve_local_tool_path_rejects_non_virtual_path() -> None:
+    thread_data = {
+        "workspace_path": "/tmp/deer-flow/threads/t1/user-data/workspace",
+        "uploads_path": "/tmp/deer-flow/threads/t1/user-data/uploads",
+        "outputs_path": "/tmp/deer-flow/threads/t1/user-data/outputs",
+    }
+
+    with pytest.raises(PermissionError, match="Only paths under"):
+        resolve_local_tool_path("/Users/someone/config.yaml", thread_data)
+
+
+def test_resolve_local_tool_path_rejects_path_traversal() -> None:
+    base = Path("/tmp/deer-flow/threads/t1/user-data")
+    thread_data = {
+        "workspace_path": str(base / "workspace"),
+        "uploads_path": str(base / "uploads"),
+        "outputs_path": str(base / "outputs"),
+    }
+
+    with pytest.raises(PermissionError, match="path traversal"):
+        resolve_local_tool_path(f"{VIRTUAL_PATH_PREFIX}/workspace/../../../../etc/passwd", thread_data)