wanwu/deer-flow
1
0
Fork 0
mirror of https://gitee.com/wanwujie/deer-flow synced 2026-04-03 14:22:13 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
253fe4d87fb8128c5e5633c3a7ee81f99fb32b71
deer-flow/backend/src
History
Willem Jiang 253fe4d87f feat(sandbox): harden local file access and mask host paths (#983) 
* feat(sandbox): harden local file access and mask host paths

- enforce local sandbox file tools to only accept /mnt/user-data paths
- add path traversal checks against thread workspace/uploads/outputs roots
- preserve requested virtual paths in tool error messages (no host path leaks)
- mask local absolute paths in bash output back to virtual sandbox paths
- update bash tool guidance to prefer thread-local venv + python -m pip
- add regression tests for path mapping, masking, and access restrictions

Fixes #968

* feat(sandbox): restrict risky absolute paths in local bash commands

- validate absolute path usage in local-mode bash commands
- allow only /mnt/user-data virtual paths for user data access
- keep a small allowlist for system executable/device paths
- return clear permission errors for unsafe command paths
- add regression tests for bash path validation rules

* test(sandbox): add success path test for resolve_local_tool_path (#992)

* Initial plan

* test(sandbox): add success path test for resolve_local_tool_path

Co-authored-by: WillemJiang <219644+WillemJiang@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: WillemJiang <219644+WillemJiang@users.noreply.github.com>

* fix(sandbox): reject bare virtual root early with clear error in resolve_local_tool_path (#991)

* Initial plan

* fix(sandbox): reject bare virtual root early with clear error in resolve_local_tool_path

Co-authored-by: WillemJiang <219644+WillemJiang@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: WillemJiang <219644+WillemJiang@users.noreply.github.com>
Co-authored-by: Willem Jiang <willem.jiang@gmail.com>

---------

Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
2026-03-13 22:38:32 +08:00
..
agents
fix(memory): inject stored facts into system prompt memory context (#1083)
2026-03-13 14:37:40 +08:00
channels
feat(channels): upload file attachments via IM channels (Slack, Telegram, Feishu) (#1040)
2026-03-10 09:11:57 +08:00
community
chore(docker): Refactor sandbox state management and improve Docker integration (#1068)
2026-03-11 10:03:01 +08:00
config
fix(tracing): support LANGCHAIN_* env fallback for LangSmith config (#1065)
2026-03-11 10:26:56 +08:00
gateway
fix(gateway): ignore archive metadata wrappers (#1108)
2026-03-13 21:27:54 +08:00
mcp
feat(mcp): add OAuth support for HTTP/SSE MCP servers (#908)
2026-03-01 22:38:58 +08:00
models
feat(middleware): introduce TodoMiddleware for context-loss detection in todo management (#1041)
2026-03-10 11:24:53 +08:00
reflection
feat: add IM channels for Feishu, Slack, and Telegram (#1010)
2026-03-08 15:21:18 +08:00
sandbox
feat(sandbox): harden local file access and mask host paths (#983)
2026-03-13 22:38:32 +08:00
skills
feat(skills): support recursive nested skill loading (#950)
2026-03-02 21:02:03 +08:00
subagents
fix(middleware): degrade tool-call exceptions to error tool messages (#1110)
2026-03-13 09:41:59 +08:00
tools
fix(subagents): cleanup background tasks after completion to prevent memory leak (#1030)
2026-03-10 07:41:48 +08:00
utils
chore(docker): Refactor sandbox state management and improve Docker integration (#1068)
2026-03-11 10:03:01 +08:00
__init__.py
chore: add an empty __init__.py
2026-01-14 07:16:27 +08:00
client.py
fix(client): Harden upload validation and conversion flow (#989)
2026-03-11 15:17:31 +08:00