fix(built-in-tools): confine search_files glob matches to workspace#386
Open
herikwebb wants to merge 1 commit into
Open
fix(built-in-tools): confine search_files glob matches to workspace#386herikwebb wants to merge 1 commit into
herikwebb wants to merge 1 commit into
Conversation
search_files sandboxed only the search root via safe_jupyter_path; the glob hits were opened directly, so a workspace symlink pointing outside jupyter_root_dir (e.g. leak.txt -> /etc/passwd) let an agent-mode LLM read arbitrary host files through content_pattern matches. read_file already routes every path through safe_jupyter_path and rejects outbound symlinks after Path.resolve(); search_files did not. Resolve the workspace root once, drop glob hits outside it, and route each remaining match back through safe_jupyter_path before opening so a symlink resolving out of the workspace is skipped. Confidentiality-only issue; medium severity.
pjdoland
approved these changes
Jul 9, 2026
pjdoland
left a comment
Collaborator
There was a problem hiding this comment.
LGTM.
The fix itself is correct and well-scoped. It closes a real confidentiality hole: previously search_files sandboxed only the search root, then opened glob hits directly, so a workspace symlink like leak.txt -> /etc/passwd leaked host files through content_pattern. The PR routes each match through relative_to(root_dir) + safe_jupyter_path before opening, mirroring how read_file already works. The approach matches the established pattern.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
search_files sandboxed only the search root via safe_jupyter_path; the
glob hits were opened directly, so a workspace symlink pointing outside
jupyter_root_dir (e.g. leak.txt -> /etc/passwd) let an agent-mode LLM
read arbitrary host files through content_pattern matches. read_file
already routes every path through safe_jupyter_path and rejects outbound
symlinks after Path.resolve(); search_files did not.
Resolve the workspace root once, drop glob hits outside it, and route
each remaining match back through safe_jupyter_path before opening so a
symlink resolving out of the workspace is skipped. Confidentiality-only
issue; medium severity.