security(message-tool): validate filePath/path against sandbox root#6398
Merged
steipete merged 2 commits intoopenclaw:mainfrom Feb 1, 2026
Merged
Conversation
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Comment on lines
+367
to
+374
| // Validate file paths against sandbox root to prevent host file access. | ||
| const sandboxRoot = options?.sandboxRoot; | ||
| if (sandboxRoot) { | ||
| for (const key of ["filePath", "path"] as const) { | ||
| const raw = readStringParam(params, key, { trim: false }); | ||
| if (raw) { | ||
| await assertSandboxPath({ filePath: raw, cwd: sandboxRoot, root: sandboxRoot }); | ||
| } |
Contributor
There was a problem hiding this comment.
[P0] sandboxRoot is used without trimming/normalizing, unlike image-tool.ts, so a value like ' ' will enable the sandbox branch but effectively set cwd/root to a non-sandbox path (e.g. current working directory), which can cause false rejections or unintended behavior depending on how assertSandboxPath resolves. Consider const sandboxRoot = options?.sandboxRoot?.trim(); and only validating when it's non-empty.
Prompt To Fix With AI
This is a comment left during a code review.
Path: src/agents/tools/message-tool.ts
Line: 367:374
Comment:
[P0] `sandboxRoot` is used without trimming/normalizing, unlike `image-tool.ts`, so a value like `' '` will enable the sandbox branch but effectively set `cwd/root` to a non-sandbox path (e.g. current working directory), which can cause false rejections or unintended behavior depending on how `assertSandboxPath` resolves. Consider `const sandboxRoot = options?.sandboxRoot?.trim();` and only validating when it's non-empty.
How can I resolve this? If you propose a fix, please make it concise.
Comment on lines
+367
to
+375
| // Validate file paths against sandbox root to prevent host file access. | ||
| const sandboxRoot = options?.sandboxRoot; | ||
| if (sandboxRoot) { | ||
| for (const key of ["filePath", "path"] as const) { | ||
| const raw = readStringParam(params, key, { trim: false }); | ||
| if (raw) { | ||
| await assertSandboxPath({ filePath: raw, cwd: sandboxRoot, root: sandboxRoot }); | ||
| } | ||
| } |
Contributor
There was a problem hiding this comment.
[P1] Validating both filePath and path unconditionally for all actions may break non-file uses of path (e.g. channels/actions that interpret path as something other than a local filesystem path). If path is only meant for attachments on send, it’s safer to scope this validation to action === "send" (and/or only when media/attachments are being used).
Prompt To Fix With AI
This is a comment left during a code review.
Path: src/agents/tools/message-tool.ts
Line: 367:375
Comment:
[P1] Validating both `filePath` and `path` unconditionally for all actions may break non-file uses of `path` (e.g. channels/actions that interpret `path` as something other than a local filesystem path). If `path` is only meant for attachments on `send`, it’s safer to scope this validation to `action === "send"` (and/or only when `media`/attachments are being used).
How can I resolve this? If you propose a fix, please make it concise.
Comment on lines
+211
to
+237
| it("allows filePath inside sandbox root", async () => { | ||
| mocks.runMessageAction.mockClear(); | ||
| mocks.runMessageAction.mockResolvedValue({ | ||
| kind: "send", | ||
| action: "send", | ||
| channel: "telegram", | ||
| to: "telegram:123", | ||
| handledBy: "plugin", | ||
| payload: {}, | ||
| dryRun: true, | ||
| } satisfies MessageActionRunResult); | ||
|
|
||
| const sandboxDir = await fs.mkdtemp(path.join(os.tmpdir(), "msg-sandbox-")); | ||
| try { | ||
| const tool = createMessageTool({ | ||
| config: {} as never, | ||
| sandboxRoot: sandboxDir, | ||
| }); | ||
|
|
||
| await tool.execute("1", { | ||
| action: "send", | ||
| target: "telegram:123", | ||
| filePath: "./data/file.txt", | ||
| message: "", | ||
| }); | ||
|
|
||
| expect(mocks.runMessageAction).toHaveBeenCalledTimes(1); |
Contributor
There was a problem hiding this comment.
[P2] allows filePath inside sandbox root only asserts that runMessageAction was called, but doesn’t verify the validated path behavior. This can pass even if the validation is accidentally skipped. Consider asserting the call still receives the original relative filePath and (optionally) that an escaping filePath rejects in the same test suite.
Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!
Prompt To Fix With AI
This is a comment left during a code review.
Path: src/agents/tools/message-tool.test.ts
Line: 211:237
Comment:
[P2] `allows filePath inside sandbox root` only asserts that `runMessageAction` was called, but doesn’t verify the validated path behavior. This can pass even if the validation is accidentally skipped. Consider asserting the call still receives the original relative `filePath` and (optionally) that an escaping `filePath` rejects in the same test suite.
<sub>Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!</sub>
How can I resolve this? If you propose a fix, please make it concise.
steipete
added a commit
that referenced
this pull request
Feb 1, 2026
Contributor
|
Landed via temp rebase onto main (squash merge).
Thanks @leszekszpunar! |
bennewton999
pushed a commit
to bennewton999/openclaw
that referenced
this pull request
Feb 2, 2026
…penclaw#6398) * security(message-tool): validate filePath/path against sandbox root * style: translate Polish comments to English for consistency
buiilding
pushed a commit
to buiilding/openclaw
that referenced
this pull request
Feb 2, 2026
…penclaw#6398) * security(message-tool): validate filePath/path against sandbox root * style: translate Polish comments to English for consistency
claudio-neo
pushed a commit
to claudio-neo/openclaw
that referenced
this pull request
Feb 3, 2026
…penclaw#6398) * security(message-tool): validate filePath/path against sandbox root * style: translate Polish comments to English for consistency
HashWarlock
pushed a commit
to HashWarlock/openclaw
that referenced
this pull request
Feb 4, 2026
…penclaw#6398) * security(message-tool): validate filePath/path against sandbox root * style: translate Polish comments to English for consistency
uxcu
pushed a commit
to uxcu/kook-openclaw
that referenced
this pull request
Feb 5, 2026
…penclaw#6398) * security(message-tool): validate filePath/path against sandbox root * style: translate Polish comments to English for consistency
bestNiu
pushed a commit
to bestNiu/clawdbot
that referenced
this pull request
Feb 5, 2026
…penclaw#6398) * security(message-tool): validate filePath/path against sandbox root * style: translate Polish comments to English for consistency
batao9
pushed a commit
to batao9/openclaw
that referenced
this pull request
Feb 7, 2026
…penclaw#6398) * security(message-tool): validate filePath/path against sandbox root * style: translate Polish comments to English for consistency
6 tasks
hughdidit
pushed a commit
to hughdidit/DAISy-Agency
that referenced
this pull request
Feb 8, 2026
…penclaw#6398) * security(message-tool): validate filePath/path against sandbox root * style: translate Polish comments to English for consistency (cherry picked from commit 9b6fffd) # Conflicts: # src/agents/tools/message-tool.ts
6 tasks
battman21
pushed a commit
to battman21/openclaw
that referenced
this pull request
Feb 12, 2026
…penclaw#6398) * security(message-tool): validate filePath/path against sandbox root * style: translate Polish comments to English for consistency
battman21
pushed a commit
to battman21/openclaw
that referenced
this pull request
Feb 12, 2026
…penclaw#6398) * security(message-tool): validate filePath/path against sandbox root * style: translate Polish comments to English for consistency
This was referenced Feb 14, 2026
jamie-dit
pushed a commit
to jamie-dit/zulip-claw
that referenced
this pull request
Feb 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #3805 (CRITICAL sandbox escape via message tool
filePath/pathparams).The
messagetool accepted arbitrary file paths (filePath,path) without validating them against the sandbox root directory. A sandboxed agent could read or exfiltrate host files (e.g./etc/passwd,~/.ssh/id_rsa) by passing absolute or traversal paths through the message tool's send action.Changes
src/agents/tools/message-tool.ts: AddedsandboxRootoption toMessageToolOptions. When set, bothfilePathandpathparams are validated viaassertSandboxPath()beforerunMessageAction()is called. This mirrors the pattern already used inimage-tool.tsandread/write/edittools.src/agents/openclaw-tools.ts: PasssandboxRootfrom tool creation options tocreateMessageTool().src/agents/tools/message-tool.test.ts: Added 4 tests covering sandbox path validation (reject absolute escape, reject traversal, allow valid relative path, skip validation when no sandbox).Security Impact
Without this fix, any sandboxed agent session could bypass the sandbox boundary via the message tool to access arbitrary host filesystem paths. This is a critical privilege escalation vector.
AI Disclosure
This PR was developed with AI assistance (Claude Code). The code was reviewed, tested, and verified by the author. All tests pass, linting is clean, and the fix follows existing patterns in the codebase (
image-tool.ts,read/writetools).Test Plan
pnpm vitest run src/agents/tools/message-tool.test.ts(8/8 pass)npx oxlint --type-aware --tsconfig tsconfig.oxlint.json(0 errors)npx oxfmt --check(all files formatted)main(unrelatedpi-coding-agenttype issues)Greptile Overview
Greptile Summary
This PR threads a
sandboxRootoption into themessageagent tool and uses the existingassertSandboxPath()helper to validatefilePath/pathparameters before dispatching torunMessageAction(), closing a sandbox escape vector where a sandboxed agent could reference arbitrary host paths.createOpenClawTools()now forwardssandboxRootintocreateMessageTool(), and new Vitest cases exercise absolute-path and traversal rejection, as well as the “no sandboxRoot” passthrough.The approach aligns with other sandbox-aware tools (e.g.
image-tool.tsand the read/write/edit tools) by enforcing a single sandbox boundary at the tool surface before any plugin/channel code sees the path.Confidence Score: 4/5
assertSandboxPath()sandbox boundary check, and tests cover key escape inputs. Remaining uncertainty is around howpathis interpreted across different message actions/channels and whether an untrimmedsandboxRootcould lead to unexpected behavior in misconfigured callers.