fix: #3169 constrain local sandbox artifact sources to base dir#3177
fix: #3169 constrain local sandbox artifact sources to base dir#3177
Conversation
|
@codex review |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 78a98ebf88
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 78a98ebf88
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
seratch
force-pushed
the
fix/local-artifact-base-dir-boundary
branch
from
78a98eb to
dca1c01
Compare
|
I wonder if we can leverage the |
seratch
force-pushed
the
fix/local-artifact-base-dir-boundary
branch
from
8705e33 to
d21d7b0
Compare
|
After discussing this w/ @qiyaoq-oai, I updated the implementation to use The final behavior is:
This keeps the host-path trust decision at the manifest/application configuration boundary and avoids a broader per-artifact escape hatch. For this release, manifests containing I will clearly mention this change in release notes and changelog when shipping itt. |
2 participants
This pull request fixes #3169 local sandbox artifact source resolution so
LocalFileandLocalDircannot read host files outside the manifest base directory by default.The implementation treats
base_diras the trust boundary rather than treating every absolute path as unsafe. During normal manifest application,base_diris the SDK process working directory, so local artifact sources are allowed only when their normalized host path stays within that directory. This means absolute paths are still supported without extra configuration when they point inside the trusted base directory, while both absolute outside paths and relative escapes such as../outsideare rejected by default.For trusted application code that intentionally needs to materialize a host path outsidebase_dir, this adds an explicitallow_outside_base_dir=Trueopt-in. That escape hatch keeps the host-path trust boundary visible at the call site without blocking legitimate cases such as temporary generated skill directories or integration fixtures. The same boundary is applied to lazy local skill metadata and skill loading so discovery and materialization follow the same rules.The final behavior is:
LocalFile.srcandLocalDir.srcstay constrained to the SDK processbase_dirby default.base_diris allowed only when its host path is under an explicitmanifest.extra_path_grantsentry.read_only=Truegrants are accepted for local source materialization because this path only reads from the host source before copying into the sandbox.load_skilluse the same grant boundary.