Skip to content

fix(built-in-tools): confine search_files glob matches to workspace#386

Open
herikwebb wants to merge 1 commit into
plmbr:mainfrom
herikwebb:security/fix-search-files-symlink-20260704031032-3406
Open

fix(built-in-tools): confine search_files glob matches to workspace#386
herikwebb wants to merge 1 commit into
plmbr:mainfrom
herikwebb:security/fix-search-files-symlink-20260704031032-3406

Conversation

@herikwebb

@herikwebb herikwebb commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

search_files sandboxed only the search root via safe_jupyter_path; the
glob hits were opened directly, so a workspace symlink pointing outside
jupyter_root_dir (e.g. leak.txt -> /etc/passwd) let an agent-mode LLM
read arbitrary host files through content_pattern matches. read_file
already routes every path through safe_jupyter_path and rejects outbound
symlinks after Path.resolve(); search_files did not.

Resolve the workspace root once, drop glob hits outside it, and route
each remaining match back through safe_jupyter_path before opening so a
symlink resolving out of the workspace is skipped. Confidentiality-only
issue; medium severity.

search_files sandboxed only the search root via safe_jupyter_path; the
glob hits were opened directly, so a workspace symlink pointing outside
jupyter_root_dir (e.g. leak.txt -> /etc/passwd) let an agent-mode LLM
read arbitrary host files through content_pattern matches. read_file
already routes every path through safe_jupyter_path and rejects outbound
symlinks after Path.resolve(); search_files did not.

Resolve the workspace root once, drop glob hits outside it, and route
each remaining match back through safe_jupyter_path before opening so a
symlink resolving out of the workspace is skipped. Confidentiality-only
issue; medium severity.

@pjdoland pjdoland left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

The fix itself is correct and well-scoped. It closes a real confidentiality hole: previously search_files sandboxed only the search root, then opened glob hits directly, so a workspace symlink like leak.txt -> /etc/passwd leaked host files through content_pattern. The PR routes each match through relative_to(root_dir) + safe_jupyter_path before opening, mirroring how read_file already works. The approach matches the established pattern.

@mbektas mbektas left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants