feat(security/tools): P0-2 实现 Workspace Sandbox(含 symlink / traversal 防护)#116
Conversation
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
|
/review |
| } | ||
|
|
||
| return nil | ||
| } |
There was a problem hiding this comment.
CRITICAL SECURITY: TOCTOU Race Condition Vulnerability
This function has a Time-of-Check-Time-of-Use (TOCTOU) vulnerability. The validation happens here, but the actual file operation occurs later in the tool executor. An attacker can:
- Pass validation with a safe symlink pointing inside workspace
- Between validation and file access, atomically replace the symlink to point outside workspace
- Tool executor accesses the malicious path (sandbox bypassed)
Attack scenario:
# During validation: workspace/link -> workspace/safe.txt (PASSES)
# Attacker replaces: workspace/link -> /etc/passwd
# Tool reads workspace/link (BYPASSED)Recommendations:
- Open file descriptor during validation and pass to executor (requires executor refactor)
- Use O_NOFOLLOW flag on Linux or FILE_FLAG_OPEN_REPARSE_POINT on Windows
- At minimum, document this limitation and consider adding re-validation in critical paths
- Add mutex/locking around validation + execution for high-security scenarios
Impact: Complete sandbox bypass, arbitrary file read/write outside workspace.
There was a problem hiding this comment.
这不是 workspace sandbox 这一层单独能解决的,得进执行器层,走 descriptor/no-follow/原子访问
我会留到后面修改
Comprehensive Code Review SummaryConducted in-depth review across code quality, performance, security, and documentation. The implementation is well-structured with solid test coverage, but critical security vulnerabilities require attention before merge. 🚨 Critical Issues (Block Merge)
⚡ Performance Concerns
📝 Code Quality
Recommendation: Address security issues before merging. See inline comments for details. |
背景
承接 #98 和 #106,本次实现 Workspace Sandbox 的第一版真实能力。
目标是在不破坏主链路的前提下,把工具路径边界从 noop 升级为可执行、可测试的安全检查。
执行链保持为:
Runtime -> ToolManager -> PermissionEngine -> WorkspaceSandbox -> Executor本次改动
1. 新增真实 Workspace Sandbox
internal/security/workspace.go..)webfetch)2. 扩展 Action Payload 以支持 sandbox 判定
internal/security/types.goSandboxTargetType、SandboxTarget字段3. 更新工具 action 映射
internal/tools/permission_mapper.gofilesystem_read_filefilesystem_write_filefilesystem_editfilesystem_grepfilesystem_globbash(读取 arguments 中的workdir)4. 接入执行链与错误元数据
internal/tools/manager.goworkspace sandbox rejected action5. 装配层启用真实 sandbox
internal/app/bootstrap.gobuildToolManager不再使用 noop sandbox,改为security.NewWorkspaceSandbox()测试
1. 新增
internal/security/workspace_test.gotable-driven 覆盖:
2. 更新
internal/tools/manager_test.go3. 更新
internal/app/bootstrap_test.go兼容性与风险
验证
已本地通过:
go test ./...Refs