Skip to content

fix: validate tool access against Docker bind mounts#19055

Closed
StressTestor wants to merge 4 commits intoopenclaw:mainfrom
StressTestor:fix/16379-sandbox-bound-folder-check
Closed

fix: validate tool access against Docker bind mounts#19055
StressTestor wants to merge 4 commits intoopenclaw:mainfrom
StressTestor:fix/16379-sandbox-bound-folder-check

Conversation

@StressTestor
Copy link
Copy Markdown

@StressTestor StressTestor commented Feb 17, 2026
edited by greptile-apps bot
Loading

Summary

  • wrapToolWorkspaceRootGuard only checked the primary workspace root, blocking legitimate access to Docker bind-mounted directories
  • Added additionalRoots option that accepts parsed bind mount host paths and validates them with assertSandboxPath (including symlink escape detection)
  • Updated all call sites in pi-tools.ts to pass bind mount roots from sandbox config

Fixes #16379

Test plan

  • Paths within bind mounts are allowed
  • Paths outside all roots are still blocked
  • Primary workspace paths still work
  • Host-side bind mount path resolution test
  • Symlink escape detection applies to additional roots (uses assertSandboxPath)
  • Full test suite passes (pnpm test:fast, pnpm check)

Greptile Summary

Extended wrapToolWorkspaceRootGuard to accept bind mount host paths via additionalRoots option, allowing workspace-only tools to access Docker bind-mounted directories.

Key changes:

  • Added additionalRoots parameter to wrapToolWorkspaceRootGuard to validate paths against multiple allowed roots
  • Extracted bind mount host roots in pi-tools.ts using parseSandboxBindMount
  • Added comprehensive test coverage for multiple root validation scenarios
  • Added regression test for host-side bind mount path resolution

Critical issue found:

  • Line 328 in pi-tools.read.ts uses resolveSandboxPath instead of assertSandboxPath, which skips symlink escape detection for bind mount paths. This creates a security vulnerability where symlinks in bind mounts could escape the sandbox.

Confidence Score: 2/5

  • This PR introduces a security vulnerability that bypasses symlink escape detection for bind mount paths
  • The logic error at line 328 uses resolveSandboxPath instead of assertSandboxPath, which means bind mount paths skip symlink escape validation. This directly contradicts the PR's test plan claim that "symlink escape detection applies to additional roots". While the primary workspace root is protected, bind mount roots are vulnerable to symlink escape attacks.
  • Pay close attention to src/agents/pi-tools.read.ts line 328 - the symlink escape vulnerability must be fixed

Last reviewed commit: e6e1822

@openclaw-barnacle openclaw-barnacle bot added agents Agent runtime and tooling size: S labels Feb 17, 2026
greptile-apps[bot]
greptile-apps bot reviewed Feb 17, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

4 files reviewed, 1 comment

Edit Code Review Agent Settings | Greptile

src/agents/pi-tools.read.ts Outdated
if (opts?.additionalRoots?.length) {
const isAllowed = opts.additionalRoots.some((allowedRoot) => {
try {
resolveSandboxPath({ filePath, cwd: root, root: allowedRoot });
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps bot Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

resolveSandboxPath doesn't check for symlink escapes (only assertSandboxPath does). This means bind mount paths aren't protected against symlink escape attacks.

Suggested change
resolveSandboxPath({ filePath, cwd: root, root: allowedRoot });
await assertSandboxPath({ filePath, cwd: root, root: allowedRoot });
Prompt To Fix With AI 
This is a comment left during a code review.
Path: src/agents/pi-tools.read.ts
Line: 328:328

Comment:
`resolveSandboxPath` doesn't check for symlink escapes (only `assertSandboxPath` does). This means bind mount paths aren't protected against symlink escape attacks.

```suggestion
                await assertSandboxPath({ filePath, cwd: root, root: allowedRoot });
```

How can I resolve this? If you propose a fix, please make it concise.

allow workspace-only tools to access Docker bind mounts (#16379)
6b2c97b 
wrapToolWorkspaceRootGuard was only checking paths against the primary
workspace root, rejecting valid bind-mounted directories even when the
operator explicitly configured them in docker.binds.

Now the guard accepts an additionalRoots option populated from parsed
bind mount host paths. Paths outside the workspace but inside a bind
mount are allowed through.
@StressTestor StressTestor force-pushed the fix/16379-sandbox-bound-folder-check branch from e6e1822 to 6b2c97b Compare February 17, 2026 09:00
@StressTestor StressTestor mentioned this pull request Feb 18, 2026
Closed
@sebslight
Copy link
Copy Markdown
Member

sebslight commented Feb 20, 2026

Closing as duplicate of #16509. If this is incorrect, please contact us.

@sebslight sebslight closed this Feb 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

agents Agent runtime and tooling size: S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: Sandbox tool permissions do not check bound folders

2 participants

@StressTestor @sebslight