🔒 Aisle Security Analysis

We found 1 potential security issue(s) in this PR:

1. 🟡 Path traversal & arbitrary local file attachment via LLM MEDIA: directives

Description

The reply pipeline parses MEDIA: directives out of model-generated text and then normalizes them into filesystem paths. In non-sandbox mode, the new media path normalizer resolves these paths relative to the run workspace without enforcing workspace containment, so ../ traversal (or absolute paths) can escape the workspace.

Impact:

• Untrusted model output can cause the system to attempt to attach/read arbitrary local files (within any permitted localRoots), leading to information disclosure.
• If workspaceDir is under a shared allowed root (e.g. a shared temp dir), MEDIA:../<other-session>/... can traverse into other sessions’ workspaces.

Why this is reachable:

• normalizeReplyPayloadDirectives({ parseMode: "always" }) turns text containing MEDIA: into payload.mediaUrl/mediaUrls.
• splitMediaFromOutput (used by parseReplyDirectives) accepts traversal patterns like ../ (see existing tests: MEDIA:../../etc/passwd).
• createReplyMediaPathNormalizer then resolves likely-local media using resolvePathFromInput(media, workspaceDir) with no boundary check.

Vulnerable code:

if (!isLikelyLocalMediaSource(media)) {
  return media;
}
if (FILE_URL_RE.test(media)) {
  return media;
}
return resolvePathFromInput(media, params.workspaceDir);

This allows inputs like MEDIA:../workspace-other/secret.png (or MEDIA:/path/to/secret) to normalize to a host path outside the intended workspace boundary.

Recommendation

Treat MEDIA: directives from LLM output as untrusted and enforce workspace/sandbox containment.

In non-sandbox mode, restrict local media references to paths that remain under workspaceDir (reject absolute paths outside it and reject .. traversal):

import path from "node:path";
import { toRelativeWorkspacePath } from "../../agents/path-policy.js";

​// ...
const normalizeLocalWorkspaceMedia = (media: string) => {
  ​// Throws if it escapes workspaceDir.
  const rel = toRelativeWorkspacePath(params.workspaceDir, media, { cwd: params.workspaceDir });
  ​// Allow root files if desired by setting allowRoot: true above.
  return path.resolve(params.workspaceDir, rel);
};

​// In normalizeMediaSource (host mode):
if (isLikelyLocalMediaSource(media)) {
  return normalizeLocalWorkspaceMedia(media);
}

Additionally:

• Consider disallowing ~, Windows drive paths, and UNC paths in replies unless explicitly required.
• Consider allowing only https?:// URLs plus workspace-relative paths for model-originated directives (and require explicit tool output for anything else).
• If file:// is supported, convert via fileURLToPath and apply the same workspace containment checks.

Analyzed PR: #38572 at commit 2dbc27c

_{Last updated on: 2026-03-07T06:23:18Z}

Greptile Summary

This PR fixes a bug where assistant replies containing local MEDIA: paths (workspace-relative or container-local file:///workspace/... URIs) could be delivered to Telegram as raw unresolved strings, causing media sends to fail and falling back to a "No response generated" message. The fix adds a new createReplyMediaPathNormalizer utility that resolves these paths against the agent's workspaceDir or the sandbox workspace root, and wires it into both the block-streaming delivery path (reply-delivery.ts) and final payload assembly (agent-runner-payloads.ts).

Key changes:

• New reply-media-paths.ts module encapsulates path-normalization logic: HTTP URLs pass through unchanged, file:///workspace/... container paths are remapped to the host sandbox root via the existing resolveSandboxedMediaSource utility, and bare relative paths are resolved against workspaceDir.
• buildReplyPayloads is made async to accommodate the async path-normalization hook; all callers updated accordingly.
• Tests are added at the unit level (reply-media-paths.test.ts), at the wiring level (agent-runner.media-paths.test.ts), and existing block-streaming and payload tests updated to reflect the new normalized path expectations.

Known issue: In reply-media-paths.ts the sandboxRootPromise caches a rejected promise permanently within one normalizer instance — a transient failure from ensureSandboxWorkspaceForSession will cause all subsequent media in that request to fail normalization instead of falling back to workspace-relative resolution. Adding a .catch() that resets the cached promise and returns undefined would make the fallback robust.

Confidence Score: 3/5

• The core bug fix is correct and well-tested, but a transient sandbox-lookup failure can degrade media delivery for the affected request.
• The PR's core fix for normalizing media paths is sound and covered by comprehensive tests across unit, integration, and block-streaming layers. However, the sandboxRootPromise caching implementation has a reliability issue: a transient error in ensureSandboxWorkspaceForSession will cause all media normalization for that request to fail instead of gracefully falling back to workspace-relative resolution. This is not a correctness failure under normal operation, but it is a notable edge case that could impact production reliability when transient sandbox-lookup failures occur.
• src/auto-reply/reply/reply-media-paths.ts — the resolveSandboxRoot closure caches rejected promises; consider adding a .catch() reset before merging if sandbox lookup failures are considered a realistic production scenario.

_{Last reviewed commit: c254896}

Follow-up for review:

• contained async onBlockReply rejections in both fire-and-forget subscribe paths, so malformed streamed media directives no longer surface as unhandled rejections
• normalized sent-media dedupe keys before final payload filtering, so message.send of ./out/... still dedupes against the assistant reply after reply-media normalization

Verified with targeted regressions plus pnpm check.

Landed via temp rebase onto main.

• Gate: pnpm test -- src/agents/pi-embedded-subscribe.block-reply-rejections.test.ts src/auto-reply/reply/agent-runner-payloads.test.ts src/auto-reply/reply/reply-media-paths.test.ts src/auto-reply/reply/agent-runner.media-paths.test.ts src/auto-reply/reply.block-streaming.test.ts
• Land commit: 2dbc27c
• Merge commit: e802840