skills
/
deerflow2
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
deerflow2/backend/src
History
Willem Jiang 253fe4d87f
feat(sandbox): harden local file access and mask host paths (#983) 
* feat(sandbox): harden local file access and mask host paths

- enforce local sandbox file tools to only accept /mnt/user-data paths
- add path traversal checks against thread workspace/uploads/outputs roots
- preserve requested virtual paths in tool error messages (no host path leaks)
- mask local absolute paths in bash output back to virtual sandbox paths
- update bash tool guidance to prefer thread-local venv + python -m pip
- add regression tests for path mapping, masking, and access restrictions

Fixes #968

* feat(sandbox): restrict risky absolute paths in local bash commands

- validate absolute path usage in local-mode bash commands
- allow only /mnt/user-data virtual paths for user data access
- keep a small allowlist for system executable/device paths
- return clear permission errors for unsafe command paths
- add regression tests for bash path validation rules

* test(sandbox): add success path test for resolve_local_tool_path (#992)

* Initial plan

* test(sandbox): add success path test for resolve_local_tool_path

Co-authored-by: WillemJiang <219644+WillemJiang@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: WillemJiang <219644+WillemJiang@users.noreply.github.com>

* fix(sandbox): reject bare virtual root early with clear error in resolve_local_tool_path (#991)

* Initial plan

* fix(sandbox): reject bare virtual root early with clear error in resolve_local_tool_path

Co-authored-by: WillemJiang <219644+WillemJiang@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: WillemJiang <219644+WillemJiang@users.noreply.github.com>
Co-authored-by: Willem Jiang <willem.jiang@gmail.com>

---------

Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
 		2026-03-13 22:38:32 +08:00
..
agents fix(memory): inject stored facts into system prompt memory context (#1083) 2026-03-13 14:37:40 +08:00
channels feat(channels): upload file attachments via IM channels (Slack, Telegram, Feishu) (#1040) 2026-03-10 09:11:57 +08:00
community chore(docker): Refactor sandbox state management and improve Docker integration (#1068) 2026-03-11 10:03:01 +08:00
config fix(tracing): support LANGCHAIN_* env fallback for LangSmith config (#1065) 2026-03-11 10:26:56 +08:00
gateway fix(gateway): ignore archive metadata wrappers (#1108) 2026-03-13 21:27:54 +08:00
mcp feat(mcp): add OAuth support for HTTP/SSE MCP servers (#908) 2026-03-01 22:38:58 +08:00
models feat(middleware): introduce TodoMiddleware for context-loss detection in todo management (#1041) 2026-03-10 11:24:53 +08:00
reflection feat: add IM channels for Feishu, Slack, and Telegram (#1010) 2026-03-08 15:21:18 +08:00
sandbox feat(sandbox): harden local file access and mask host paths (#983) 2026-03-13 22:38:32 +08:00
skills feat(skills): support recursive nested skill loading (#950) 2026-03-02 21:02:03 +08:00
subagents fix(middleware): degrade tool-call exceptions to error tool messages (#1110) 2026-03-13 09:41:59 +08:00
tools fix(subagents): cleanup background tasks after completion to prevent memory leak (#1030) 2026-03-10 07:41:48 +08:00
utils chore(docker): Refactor sandbox state management and improve Docker integration (#1068) 2026-03-11 10:03:01 +08:00
__init__.py chore: add an empty __init__.py 2026-01-14 07:16:27 +08:00
client.py fix(client): Harden upload validation and conversion flow (#989) 2026-03-11 15:17:31 +08:00