Problem
view_image normalizes /mnt/user-data but otherwise passes absolute host paths through to the backend process. A caller that can invoke the tool can ask the backend to open image files outside the thread workspace, including paths in /tmp or other host directories. There is no final sandbox-boundary validation and no symlink escape check.
Impact
This can disclose host-local image files to the model/runtime and bypass the intended workspace boundary for uploaded/generated images.
Suggested Fix
Only accept virtual paths that belong to the current thread/user data area, resolve the final path, and require it to stay under the allowed upload/output roots. Reject symlink escapes and add basic size and magic-byte validation before loading.
Tests
- Reject an external absolute path such as
/tmp/secret.png.
- Accept a valid
/mnt/user-data/uploads/... image.
- Reject a symlink inside uploads that points outside the allowed root.
References
backend/packages/harness/deerflow/tools/builtins/view_image_tool.py:34backend/packages/harness/deerflow/tools/builtins/view_image_tool.py:81
Problem
view_imagenormalizes/mnt/user-databut otherwise passes absolute host paths through to the backend process. A caller that can invoke the tool can ask the backend to open image files outside the thread workspace, including paths in/tmpor other host directories. There is no final sandbox-boundary validation and no symlink escape check.Impact
This can disclose host-local image files to the model/runtime and bypass the intended workspace boundary for uploaded/generated images.
Suggested Fix
Only accept virtual paths that belong to the current thread/user data area, resolve the final path, and require it to stay under the allowed upload/output roots. Reject symlink escapes and add basic size and magic-byte validation before loading.
Tests
/tmp/secret.png./mnt/user-data/uploads/...image.References
backend/packages/harness/deerflow/tools/builtins/view_image_tool.py:34backend/packages/harness/deerflow/tools/builtins/view_image_tool.py:81