remoteclaw
diff --git a/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/agents/sandbox/fs-bridge.ts‎
Lines changed: 14 additions & 0 deletions b/‎src/agents/sandbox/fs-bridge.ts‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎src/agents/skills-install-download.ts‎
Lines changed: 65 additions & 18 deletions b/‎src/agents/skills-install-download.ts‎
Lines changed: 65 additions & 18 deletions
diff --git a/‎src/browser/output-atomic.ts‎
Lines changed: 18 additions & 1 deletion b/‎src/browser/output-atomic.ts‎
Lines changed: 18 additions & 1 deletion
diff --git a/‎src/browser/pw-tools-core.downloads.ts‎
Lines changed: 6 additions & 1 deletion b/‎src/browser/pw-tools-core.downloads.ts‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎src/browser/pw-tools-core.trace.ts‎
Lines changed: 2 additions & 0 deletions b/‎src/browser/pw-tools-core.trace.ts‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/hooks/install.ts‎
Lines changed: 26 additions & 20 deletions b/‎src/hooks/install.ts‎
Lines changed: 26 additions & 20 deletions
@@ -47,6 +47,7 @@ Docs: https://docs.openclaw.ai
 ### Fixes
 
 - Sandbox/Bootstrap context boundary hardening: reject symlink/hardlink alias bootstrap seed files that resolve outside the source workspace and switch post-compaction `AGENTS.md` context reads to boundary-verified file opens, preventing host file content from being injected via workspace aliasing. Thanks @tdjackey for reporting.
+- Browser/Security output boundary hardening: replace check-then-rename output commits with root-bound fd-verified writes, unify install/skills canonical path-boundary checks, and add regression coverage for symlink-rebind race paths across browser output and shared fs-safe write flows. Thanks @tdjackey for reporting.
 - Gateway/Security hardening: tie loopback-origin dev allowance to actual local socket clients (not Host header claims), add explicit warnings/metrics when `gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback` accepts websocket origins, harden safe-regex detection for quantified ambiguous alternation patterns (for example `(a|aa)+`), and bound large regex-evaluation inputs for session-filter and log-redaction paths.
 - Tests/Sandbox + archive portability: use junction-compatible directory-link setup on Windows and explicit file-symlink platform guards in symlink escape tests where unprivileged file symlinks are unavailable, reducing false Windows CI failures while preserving traversal checks on supported paths. (#28747) Thanks @arosstale.
 - Security/Skills archive extraction: unify tar extraction safety checks across tar.gz and tar.bz2 install flows, enforce tar compressed-size limits, and fail closed if tar.bz2 archives change between preflight and extraction to prevent bypasses of entry-type/size guardrails. Thanks @GCXWLP for reporting.
 
@@ -170,6 +170,11 @@ class SandboxFsBridgeImpl implements SandboxFsBridge {
       Boolean,
     );
     const rmCommand = flags.length > 0 ? `rm ${flags.join(" ")}` : "rm";
+    await this.assertPathSafety(target, {
+      action: "remove files",
+      requireWritable: true,
+      aliasPolicy: PATH_ALIAS_POLICIES.unlinkTarget,
+    });
     await this.runCommand(`set -eu; ${rmCommand} -- "$1"`, {
       args: [target.containerPath],
       signal: params.signal,
@@ -195,6 +200,15 @@ class SandboxFsBridgeImpl implements SandboxFsBridge {
       action: "rename files",
       requireWritable: true,
     });
+    await this.assertPathSafety(from, {
+      action: "rename files",
+      requireWritable: true,
+      aliasPolicy: PATH_ALIAS_POLICIES.unlinkTarget,
+    });
+    await this.assertPathSafety(to, {
+      action: "rename files",
+      requireWritable: true,
+    });
     await this.runCommand(
       'set -eu; dir=$(dirname -- "$2"); if [ "$dir" != "." ]; then mkdir -p -- "$dir"; fi; mv -- "$1" "$2"',
       {
 
@@ -1,4 +1,4 @@
-import { createHash } from "node:crypto";
+import { createHash, randomUUID } from "node:crypto";
 import fs from "node:fs";
 import path from "node:path";
 import { Readable } from "node:stream";
@@ -9,6 +9,8 @@ import {
   createTarEntrySafetyChecker,
   extractArchive as extractArchiveSafe,
 } from "../infra/archive.js";
+import { writeFileFromPathWithinRoot } from "../infra/fs-safe.js";
+import { assertCanonicalPathWithinBase } from "../infra/install-safe-path.js";
 import { fetchWithSsrFGuard } from "../infra/net/fetch-guard.js";
 import { isWithinDir } from "../infra/path-safety.js";
 import { runCommandWithTimeout } from "../process/exec.js";
@@ -157,29 +159,44 @@ async function hashFileSha256(filePath: string): Promise<string> {
   });
 }
 
-async function downloadFile(
-  url: string,
-  destPath: string,
-  timeoutMs: number,
-): Promise<{ bytes: number }> {
+async function downloadFile(params: {
+  url: string;
+  rootDir: string;
+  relativePath: string;
+  timeoutMs: number;
+}): Promise<{ bytes: number }> {
+  const destPath = path.resolve(params.rootDir, params.relativePath);
+  const stagingDir = path.join(params.rootDir, ".openclaw-download-staging");
+  await ensureDir(stagingDir);
+  await assertCanonicalPathWithinBase({
+    baseDir: params.rootDir,
+    candidatePath: stagingDir,
+    boundaryLabel: "skill tools directory",
+  });
+  const tempPath = path.join(stagingDir, `${randomUUID()}.tmp`);
   const { response, release } = await fetchWithSsrFGuard({
-    url,
-    timeoutMs: Math.max(1_000, timeoutMs),
+    url: params.url,
+    timeoutMs: Math.max(1_000, params.timeoutMs),
   });
   try {
     if (!response.ok || !response.body) {
       throw new Error(`Download failed (${response.status} ${response.statusText})`);
     }
-    await ensureDir(path.dirname(destPath));
-    const file = fs.createWriteStream(destPath);
+    const file = fs.createWriteStream(tempPath);
     const body = response.body as unknown;
     const readable = isNodeReadableStream(body)
       ? body
       : Readable.fromWeb(body as NodeReadableStream);
     await pipeline(readable, file);
+    await writeFileFromPathWithinRoot({
+      rootDir: params.rootDir,
+      relativePath: params.relativePath,
+      sourcePath: tempPath,
+    });
     const stat = await fs.promises.stat(destPath);
     return { bytes: stat.size };
   } finally {
+    await fs.promises.rm(tempPath, { force: true }).catch(() => undefined);
     await release();
   }
 }
@@ -309,6 +326,7 @@ export async function installDownloadSpec(params: {
   timeoutMs: number;
 }): Promise<SkillInstallResult> {
   const { entry, spec, timeoutMs } = params;
+  const safeRoot = resolveSkillToolsRootDir(entry);
   const url = spec.url?.trim();
   if (!url) {
     return {
@@ -335,22 +353,40 @@ export async function installDownloadSpec(params: {
   try {
     targetDir = resolveDownloadTargetDir(entry, spec);
     await ensureDir(targetDir);
-    const stat = await fs.promises.lstat(targetDir);
-    if (stat.isSymbolicLink()) {
-      throw new Error(`targetDir is a symlink: ${targetDir}`);
-    }
-    if (!stat.isDirectory()) {
-      throw new Error(`targetDir is not a directory: ${targetDir}`);
-    }
+    await assertCanonicalPathWithinBase({
+      baseDir: safeRoot,
+      candidatePath: targetDir,
+      boundaryLabel: "skill tools directory",
+    });
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);
     return { ok: false, message, stdout: "", stderr: message, code: null };
   }
 
   const archivePath = path.join(targetDir, filename);
+  const archiveRelativePath = path.relative(safeRoot, archivePath);
+  if (
+    !archiveRelativePath ||
+    archiveRelativePath === ".." ||
+    archiveRelativePath.startsWith(`..${path.sep}`) ||
+    path.isAbsolute(archiveRelativePath)
+  ) {
+    return {
+      ok: false,
+      message: "invalid download archive path",
+      stdout: "",
+      stderr: "invalid download archive path",
+      code: null,
+    };
+  }
   let downloaded = 0;
   try {
-    const result = await downloadFile(url, archivePath, timeoutMs);
+    const result = await downloadFile({
+      url,
+      rootDir: safeRoot,
+      relativePath: archiveRelativePath,
+      timeoutMs,
+    });
     downloaded = result.bytes;
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);
@@ -379,6 +415,17 @@ export async function installDownloadSpec(params: {
     };
   }
 
+  try {
+    await assertCanonicalPathWithinBase({
+      baseDir: safeRoot,
+      candidatePath: targetDir,
+      boundaryLabel: "skill tools directory",
+    });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return { ok: false, message, stdout: "", stderr: message, code: null };
+  }
+
   const extractResult = await extractArchive({
     archivePath,
     archiveType,
 
@@ -1,6 +1,7 @@
 import crypto from "node:crypto";
 import fs from "node:fs/promises";
 import path from "node:path";
+import { writeFileFromPathWithinRoot } from "../infra/fs-safe.js";
 import { sanitizeUntrustedFileName } from "./safe-filename.js";
 
 function buildSiblingTempPath(targetPath: string): string {
@@ -10,15 +11,31 @@ function buildSiblingTempPath(targetPath: string): string {
 }
 
 export async function writeViaSiblingTempPath(params: {
+  rootDir: string;
   targetPath: string;
   writeTemp: (tempPath: string) => Promise<void>;
 }): Promise<void> {
+  const rootDir = path.resolve(params.rootDir);
   const targetPath = path.resolve(params.targetPath);
+  const relativeTargetPath = path.relative(rootDir, targetPath);
+  if (
+    !relativeTargetPath ||
+    relativeTargetPath === ".." ||
+    relativeTargetPath.startsWith(`..${path.sep}`) ||
+    path.isAbsolute(relativeTargetPath)
+  ) {
+    throw new Error("Target path is outside the allowed root");
+  }
   const tempPath = buildSiblingTempPath(targetPath);
   let renameSucceeded = false;
   try {
     await params.writeTemp(tempPath);
-    await fs.rename(tempPath, targetPath);
+    await writeFileFromPathWithinRoot({
+      rootDir,
+      relativePath: relativeTargetPath,
+      sourcePath: tempPath,
+      mkdir: false,
+    });
     renameSucceeded = true;
   } finally {
     if (!renameSucceeded) {
 
@@ -4,7 +4,11 @@ import path from "node:path";
 import type { Page } from "playwright-core";
 import { resolvePreferredOpenClawTmpDir } from "../infra/tmp-openclaw-dir.js";
 import { writeViaSiblingTempPath } from "./output-atomic.js";
-import { DEFAULT_UPLOAD_DIR, resolveStrictExistingPathsWithinRoot } from "./paths.js";
+import {
+  DEFAULT_DOWNLOAD_DIR,
+  DEFAULT_UPLOAD_DIR,
+  resolveStrictExistingPathsWithinRoot,
+} from "./paths.js";
 import {
   ensurePageState,
   getPageForTargetId,
@@ -92,6 +96,7 @@ async function saveDownloadPayload(download: DownloadPayload, outPath: string) {
     await download.saveAs?.(resolvedOutPath);
   } else {
     await writeViaSiblingTempPath({
+      rootDir: DEFAULT_DOWNLOAD_DIR,
       targetPath: resolvedOutPath,
       writeTemp: async (tempPath) => {
         await download.saveAs?.(tempPath);
 
@@ -1,4 +1,5 @@
 import { writeViaSiblingTempPath } from "./output-atomic.js";
+import { DEFAULT_TRACE_DIR } from "./paths.js";
 import { ensureContextState, getPageForTargetId } from "./pw-session.js";
 
 export async function traceStartViaPlaywright(opts: {
@@ -34,6 +35,7 @@ export async function traceStopViaPlaywright(opts: {
     throw new Error("No active trace. Start a trace before stopping it.");
   }
   await writeViaSiblingTempPath({
+    rootDir: DEFAULT_TRACE_DIR,
     targetPath: opts.path,
     writeTemp: async (tempPath) => {
       await context.tracing.stop({ path: tempPath });
 
@@ -8,7 +8,11 @@ import {
   resolveTimedInstallModeOptions,
 } from "../infra/install-mode-options.js";
 import { installPackageDir } from "../infra/install-package-dir.js";
-import { resolveSafeInstallDir, unscopedPackageName } from "../infra/install-safe-path.js";
+import {
+  assertCanonicalPathWithinBase,
+  resolveSafeInstallDir,
+  unscopedPackageName,
+} from "../infra/install-safe-path.js";
 import {
   type NpmIntegrityDrift,
   type NpmSpecResolution,
@@ -112,6 +116,15 @@ async function resolveInstallTargetDir(
   if (!targetDirResult.ok) {
     return { ok: false, error: targetDirResult.error };
   }
+  try {
+    await assertCanonicalPathWithinBase({
+      baseDir: baseHooksDir,
+      candidatePath: targetDirResult.path,
+      boundaryLabel: "hooks directory",
+    });
+  } catch (err) {
+    return { ok: false, error: err instanceof Error ? err.message : String(err) };
+  }
   return { ok: true, targetDir: targetDirResult.path };
 }
 
@@ -289,25 +302,18 @@ async function installHookFromDir(params: {
     return { ok: true, hookPackId: hookName, hooks: [hookName], targetDir };
   }
 
-  logger.info?.(`Installing to ${targetDir}…`);
-  let backupDir: string | null = null;
-  if (mode === "update" && (await fileExists(targetDir))) {
-    backupDir = `${targetDir}.backup-${Date.now()}`;
-    await fs.rename(targetDir, backupDir);
-  }
-
-  try {
-    await fs.cp(params.hookDir, targetDir, { recursive: true });
-  } catch (err) {
-    if (backupDir) {
-      await fs.rm(targetDir, { recursive: true, force: true }).catch(() => undefined);
-      await fs.rename(backupDir, targetDir).catch(() => undefined);
-    }
-    return { ok: false, error: `failed to copy hook: ${String(err)}` };
-  }
-
-  if (backupDir) {
-    await fs.rm(backupDir, { recursive: true, force: true }).catch(() => undefined);
+  const installRes = await installPackageDir({
+    sourceDir: params.hookDir,
+    targetDir,
+    mode,
+    timeoutMs: 120_000,
+    logger,
+    copyErrorPrefix: "failed to copy hook",
+    hasDeps: false,
+    depsLogMessage: "Installing hook dependencies…",
+  });
+  if (!installRes.ok) {
+    return installRes;
   }
 
   return { ok: true, hookPackId: hookName, hooks: [hookName], targetDir };