ls tool can list os file system root contents when policy is set to "Automatic" and dirPath is '.'

[wavu-238]

Before submitting your bug report

• I've tried using the "Ask AI" feature on the Continue docs site to see if the docs have an answer
• I'm not able to find a related conversation on GitHub discussions that reports the same bug
• I'm not able to find an open issue that reports the same bug
• I've seen the troubleshooting guide on the Continue Docs

Relevant environment info

- OS: Arch Linux
- Continue version: 1.2.11
- IDE version: VS Code 1.104.3
- Model: mocked predefined response

Description

When policy for ls tool is set to automatic and model tries to list contents of / directory Continue will ask if it should list the files. This is good and expected.

But if the model tries to read . directory the check will be omitted and Continue will list file system root contents without asking.

Edit: After further inspection it looks like this works for any relative path. So ../../ will list contents directly outside the workspace

To reproduce

I have created an Ollama api interceptor and sent predefined messages as responses to verify the problem. To reproduce the behavior of ls tool check it on the following mocked responses

For model output:

"    ```tool\n    TOOL_NAME: ls\n    BEGIN_ARG: dirPath\n    /\n    END_ARG\n    ```"

You will get proper safe behavior

For output:

"    ```tool\n    TOOL_NAME: ls\n    BEGIN_ARG: dirPath\n    .\n    END_ARG\n    ```"

You will escape the evaluation policy

Log output