[security] Add path sandboxing to read_file/write_file tools #892

Closed

sleepy wants to merge 0 commits from fix/file-tool-sandboxing-676 into dev

pull from: fix/file-tool-sandboxing-676

merge into: sleepy:dev

sleepy:main

sleepy:dev

sleepy:fix/effective-mode-undefined

sleepy:fix/async-generator-500

sleepy:refactor/split-small-routes-779

sleepy:refactor/split-session-routes-778

sleepy:refactor/split-llm-core-700

sleepy:refactor/split-chat-routes-724

sleepy:refactor/split-model-routes-701

sleepy:refactor/split-skills-routes-777

sleepy:refactor/split-document-routes-769

sleepy:refactor/split-ai-interaction-722

sleepy:refactor/split-cookbook-routes-775

sleepy:refactor/split-builtin-actions-723

sleepy:refactor/split-task-scheduler-774

sleepy:refactor/tool-execution-split-667

sleepy:fix/rag-health-coordinator-756

sleepy:fix/agent-core-missing-round-loop

sleepy:fix/rag-health-check-756

sleepy:fix/missing-readmes-782

sleepy:fix/search-files-split-772

sleepy:fix/dedup-search-impl-771

sleepy:fix/mcp-integrations-split-781

sleepy:fix/cookbook-helpers-split-785

sleepy:fix/search-cross-feature-776

sleepy:fix/graceful-llm-degradation-770

sleepy:fix/dedup-research-handler-773

sleepy:fix/cross-route-coupling-780

sleepy:fix/skills-typed-request-762

sleepy:fix/chat-stream-pydantic-731

sleepy:fix/chat-handler-imports-737

sleepy:fix/public-llm-exports-730

sleepy:fix/dedup-search-content-784

sleepy:fix/dedup-stream-parse-735

sleepy:fix/stream-error-boundary-734

sleepy:fix/typed-event-names-786

sleepy:fix/dedup-js-utilities-792

sleepy:fix/skills-index-lookup-761

sleepy:fix/xss-charname-innerhtml-788

sleepy:fix/coderunner-document-write-789

sleepy:fix/ai-interaction-thread-safety-729

sleepy:fix/client-side-api-key-regex-793

sleepy:fix/dead-loadingtext-796

sleepy:fix/active-streams-eviction-736

sleepy:fix/builtin-actions-sqlite-orm-732

sleepy:fix/llm-core-thread-safety-709

sleepy:fix/singleton-thread-safety-768

sleepy:fix/video-upload-multimodal-826

sleepy:fix/mic-button-audio-825

sleepy:fix/multimodal-capabilities-827

sleepy:fix/dedup-system-msg-717

sleepy:fix/service-dead-calls-750

sleepy:fix/db-session-context-manager-757

sleepy:fix/dedup-llmconfig-710

sleepy:fix/keyword-lists-764-v2

sleepy:fix/keyword-lists-764

sleepy:fix/llm-cache-ttl-708

sleepy:fix/validate-config-711

sleepy:fix/totp-constant-time-689

sleepy:fix/admin-tools-constant-681

sleepy:fix/dedup-truncate-670

sleepy:fix/threadsafe-extractions-audit-754

sleepy:fix/dedup-json-io-767

sleepy:fix/695-deduplicate-admin-check

sleepy:fix/upload-auth-dedup-765

sleepy:fix/705-deduplicate-network-constants

sleepy:fix/deduplicate-chunking-749

sleepy:fix/760-deduplicate-embed

sleepy:fix/dedup-validation-759

sleepy:fix/748-deduplicate-tokenization

sleepy:fix/add-readmes-728-742-782

sleepy:fix/key-file-permissions-706

sleepy:fix/embedding-retry-766

sleepy:fix/deterministic-doc-ids-753

sleepy:fix/search-facade-783

sleepy:fix/remove-dead-memory-746

sleepy:fix/remove-rag-manager-747

sleepy:fix/dead-docstring-763

sleepy:refactor/split-tool-schemas-666

sleepy:refactor/split-agent-loop-664

sleepy:refactor/split-tool-implementations-665

sleepy:fix/mark-stopped-500-663

sleepy:fix/streamingtts-scope-662

sleepy:fix/code-block-tool-parsing-661

Conversation 0 Commits - Files changed -

sleepy commented 2026-06-04 02:14:50 +02:00

Owner

Copy link

No description provided.

sleepy added 1 commit 2026-06-04 02:14:50 +02:00

[security] Add path sandboxing to read_file/write_file tools (#676) ... c38960276d

- Add validate_file_path() to src/tool_security.py
- Resolve paths to absolute (collapses .., follows symlinks)
- Block sensitive system dirs: /etc, /root, /proc, /sys, /dev
- Require resolved path within TOOL_SANDBOX_DIRS (defaults to cwd)
- TOOL_SANDBOX_DISABLE=1 bypasses checks for dev/test
- Wire validation into read_file and write_file in tool_execution.py
- 23 new tests covering blocked paths, traversal, sandbox config

sleepy referenced this pull request 2026-06-04 02:17:08 +02:00

[security] read_file/write_file tools have no path sandboxing or validation #676

sleepy closed this pull request 2026-06-04 02:17:12 +02:00

Pull request closed

This pull request cannot be reopened because the branch was deleted.

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

area:chat

  

area:core

  

area:llm

  

area:routes

  

area:tools

  

bug

Something isn't working

  

documentation

Improvements or additions to documentation

  

duplicate

This issue or pull request already exists

  

enhancement

New feature or request

  

good first issue

Good for newcomers

  

help wanted

Extra attention is needed

  

invalid

This doesn't seem right

  

question

Further information is requested

  

refactor

  

wontfix

This will not be worked on

No labels

area:chat

area:core

area:llm

area:routes

area:tools

bug

documentation

duplicate

enhancement

good first issue

help wanted

invalid

question

refactor

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

sleepy/odysseus!892

No description provided.