BUG-HUNT: [boundary] `InlineToolExecutor._validate_paths` only checks keys ending in `_path`, `_file`, or equal to `path` — path values under other key names bypass sandbox restriction entirely #6599

New issue

Open

opened 2026-04-09 21:58:44 +00:00 by HAL9000 · 0 comments

HAL9000 commented

2026-04-09 21:58:44 +00:00

Owner

Bug Report: Boundary — Incomplete Path Key Heuristic in Sandbox Validation

Severity Assessment

Impact: An inline tool that receives file paths under keys named file, filepath, filename, output, target, src, dest, directory, dir, location, or any other non-heuristic name will have those paths pass through the sandbox validation completely unchecked. The sandbox is only enforced for a small, fixed set of key name suffixes.
Likelihood: High — real tool inputs commonly use key names like filename, output_dir, source, destination, working_dir, or target which are all missed by the heuristic.
Priority: High

Location

File: src/cleveragents/skills/inline_executor.py
Function: InlineToolExecutor._validate_paths
Lines: ~258–272

Description

The path validation heuristic only checks input keys that match a narrow pattern:

# inline_executor.py  lines 260–272
for key, value in input_data.items():
    if not isinstance(value, str):
        continue
    # Heuristic: treat values that look like file paths
    if key.endswith("_path") or key == "path" or key.endswith("_file"):
        try:
            resolved = Path(value).resolve()
            sandbox_resolved = sandbox_path.resolve()
            if not str(resolved).startswith(str(sandbox_resolved)):
                ...

This means only these key names trigger path validation:

path
*_path (e.g., input_path, output_path)
*_file (e.g., config_file, log_file)

The following common and legitimate key names are completely unprotected:

file → not _file, not path
filepath / file_path_alt → depends on suffix
filename → ends in name, not _file
directory, dir, folder, dest, src → none match
output, target, location, source → none match
working_dir → ends in _dir, not _path or _file

An inline tool receiving {"filename": "/etc/passwd"} would have the path /etc/passwd pass sandbox validation unchecked.

Expected Behavior

All string values that represent file-system paths should be validated against the sandbox root, regardless of key name.

Actual Behavior

Only values for keys matching _path, _file, or exactly path are checked. All other path-like keys bypass the sandbox check.

Suggested Fix

Option A — Validate ALL string values that look like absolute paths or relative paths (not just key-name heuristic):

for key, value in input_data.items():
    if not isinstance(value, str):
        continue
    # Validate any string that could be a path (absolute or relative with os.sep)
    if os.sep in value or value.startswith(".") or os.path.isabs(value):
        try:
            resolved = Path(value).resolve()
            if not resolved.is_relative_to(sandbox_resolved):
                return f"Path '{value}' for key '{key}' escapes sandbox root '{sandbox_path}'"
        except (OSError, ValueError):
            return f"Invalid path '{value}' for key '{key}'"

Option B — Expand the key heuristic to include _dir, _folder, file, filename, filepath, source, destination, target, output:

_PATH_KEY_SUFFIXES = ("_path", "_file", "_dir", "_folder", "_source", "_dest", "_target")
_PATH_KEY_EXACT = {"path", "file", "filename", "filepath", "directory", "source", "destination", "target", "output"}

if (key.endswith(_PATH_KEY_SUFFIXES) or key in _PATH_KEY_EXACT):
    ...

TDD Note

After this bug issue is verified, a corresponding Type/Testing issue will be created for TDD. The test will use tags: @tdd_issue, @tdd_issue_, and @tdd_expected_fail to prove the bug exists before fixing it.

Automated by CleverAgents Bot
Supervisor: Bug Hunting | Agent: bug-hunter

## Bug Report: Boundary — Incomplete Path Key Heuristic in Sandbox Validation ### Severity Assessment - **Impact**: An inline tool that receives file paths under keys named `file`, `filepath`, `filename`, `output`, `target`, `src`, `dest`, `directory`, `dir`, `location`, or any other non-heuristic name will have those paths pass through the sandbox validation completely unchecked. The sandbox is only enforced for a small, fixed set of key name suffixes. - **Likelihood**: High — real tool inputs commonly use key names like `filename`, `output_dir`, `source`, `destination`, `working_dir`, or `target` which are all missed by the heuristic. - **Priority**: High ### Location - **File**: `src/cleveragents/skills/inline_executor.py` - **Function**: `InlineToolExecutor._validate_paths` - **Lines**: ~258–272 ### Description The path validation heuristic only checks input keys that match a narrow pattern: ```python # inline_executor.py lines 260–272 for key, value in input_data.items(): if not isinstance(value, str): continue # Heuristic: treat values that look like file paths if key.endswith("_path") or key == "path" or key.endswith("_file"): try: resolved = Path(value).resolve() sandbox_resolved = sandbox_path.resolve() if not str(resolved).startswith(str(sandbox_resolved)): ... ``` This means **only** these key names trigger path validation: - `path` - `*_path` (e.g., `input_path`, `output_path`) - `*_file` (e.g., `config_file`, `log_file`) The following common and legitimate key names are **completely unprotected**: - `file` → not `_file`, not `path` - `filepath` / `file_path_alt` → depends on suffix - `filename` → ends in `name`, not `_file` - `directory`, `dir`, `folder`, `dest`, `src` → none match - `output`, `target`, `location`, `source` → none match - `working_dir` → ends in `_dir`, not `_path` or `_file` An inline tool receiving `{"filename": "/etc/passwd"}` would have the path `/etc/passwd` **pass** sandbox validation unchecked. ### Expected Behavior All string values that represent file-system paths should be validated against the sandbox root, regardless of key name. ### Actual Behavior Only values for keys matching `_path`, `_file`, or exactly `path` are checked. All other path-like keys bypass the sandbox check. ### Suggested Fix **Option A** — Validate ALL string values that look like absolute paths or relative paths (not just key-name heuristic): ```python for key, value in input_data.items(): if not isinstance(value, str): continue # Validate any string that could be a path (absolute or relative with os.sep) if os.sep in value or value.startswith(".") or os.path.isabs(value): try: resolved = Path(value).resolve() if not resolved.is_relative_to(sandbox_resolved): return f"Path '{value}' for key '{key}' escapes sandbox root '{sandbox_path}'" except (OSError, ValueError): return f"Invalid path '{value}' for key '{key}'" ``` **Option B** — Expand the key heuristic to include `_dir`, `_folder`, `file`, `filename`, `filepath`, `source`, `destination`, `target`, `output`: ```python _PATH_KEY_SUFFIXES = ("_path", "_file", "_dir", "_folder", "_source", "_dest", "_target") _PATH_KEY_EXACT = {"path", "file", "filename", "filepath", "directory", "source", "destination", "target", "output"} if (key.endswith(_PATH_KEY_SUFFIXES) or key in _PATH_KEY_EXACT): ... ``` ### Category boundary / security ### TDD Note After this bug issue is verified, a corresponding Type/Testing issue will be created for TDD. The test will use tags: @tdd_issue, @tdd_issue_<this-issue-number>, and @tdd_expected_fail to prove the bug exists before fixing it. --- **Automated by CleverAgents Bot** Supervisor: Bug Hunting | Agent: bug-hunter

HAL9000 added the

labels

2026-04-09 22:07:17 +00:00

HAL9000 added this to the v3.2.0 milestone

2026-04-09 22:13:19 +00:00

HAL9000 referenced this issue