Problem
When host-local bash execution is enabled, the path guard scans command strings for absolute paths. Relative traversal and shell state changes can bypass this check, for example by using .. segments or changing directories before referencing a relative path.
Impact
A command that passes the scanner can still access host paths outside the intended working area when allow_host_bash=true.
Suggested Fix
Do not rely on shell-string scanning as the security boundary. Restrict process working directory, reject traversal patterns where appropriate, avoid persistent cd semantics outside the sandbox root, and validate resolved paths for file-oriented operations.
Tests
- Commands using relative traversal should be rejected or confined.
- Commands that
cd outside the allowed root and then access relative paths should not succeed.
- Legitimate in-workspace relative paths should continue to work.
References
backend/packages/harness/deerflow/sandbox/tools.py:638backend/packages/harness/deerflow/sandbox/tools.py:747backend/packages/harness/deerflow/sandbox/tools.py:1004
Problem
When host-local bash execution is enabled, the path guard scans command strings for absolute paths. Relative traversal and shell state changes can bypass this check, for example by using
..segments or changing directories before referencing a relative path.Impact
A command that passes the scanner can still access host paths outside the intended working area when
allow_host_bash=true.Suggested Fix
Do not rely on shell-string scanning as the security boundary. Restrict process working directory, reject traversal patterns where appropriate, avoid persistent
cdsemantics outside the sandbox root, and validate resolved paths for file-oriented operations.Tests
cdoutside the allowed root and then access relative paths should not succeed.References
backend/packages/harness/deerflow/sandbox/tools.py:638backend/packages/harness/deerflow/sandbox/tools.py:747backend/packages/harness/deerflow/sandbox/tools.py:1004