Prevent Host tmpfs Mount Path Traversal via Container Name Validation (Fixed #21)

[yulmwu]

This change fixes a vulnerability where container names were used directly in host-side tmpfs mount paths without validation, allowing host path traversal through crafted sandbox creation requests.

See the following issue for details:

• Unvalidated Container Name Allows Host-Side Tmpfs Mount Path Traversal in sandboxd-o #21

To address this, validation has been added to enforce the following constraints:

• Must match ^[A-Za-z0-9][A-Za-z0-9_.-]{0,63}$
• Reject /
• Reject \
• Reject ..
• Reject leading and trailing whitespace

These validations are applied in both sbxlet and sbxorch.

For more details, please refer to the changes included in this PR.

Contributors

• Kang Hee chan (Yeonba0918) - Unvalidated Container Name Allows Host-Side Tmpfs Mount Path Traversal in sandboxd-o #21 (Vulnerability Reporter)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[Copilot]

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

[yulmwu]

Based on the review, there are no notable issues to point out. 👍