From cef4db9a877c6fdfee133a21c4153e758c5591dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=98=9F=E6=9C=88?= Date: Sat, 23 May 2026 15:50:30 +0800 Subject: [PATCH] refactor: remove workspace path sandbox and shell gate - Replace resolvePathInWorkspace with simple resolvePath (no boundary check) - Remove UWF_BUILTIN_ALLOW_SHELL env gate from run_command - Update tests accordingly Per review: sandbox was false security with shell=true, and path restrictions are unnecessary for a trusted agent environment. --- .../__tests__/path.test.ts | 26 +++++++++++-------- .../workflow-agent-builtin/src/tools/index.ts | 2 +- .../workflow-agent-builtin/src/tools/path.ts | 14 +++------- .../src/tools/read-file.ts | 7 ++--- .../src/tools/run-command.ts | 13 +++------- .../src/tools/write-file.ts | 7 ++--- 6 files changed, 27 insertions(+), 42 deletions(-) diff --git a/packages/workflow-agent-builtin/__tests__/path.test.ts b/packages/workflow-agent-builtin/__tests__/path.test.ts index d39ad79..063475c 100644 --- a/packages/workflow-agent-builtin/__tests__/path.test.ts +++ b/packages/workflow-agent-builtin/__tests__/path.test.ts @@ -1,17 +1,21 @@ import { describe, expect, test } from "bun:test"; -import { join } from "node:path"; +import { resolvePath } from "../src/tools/path.js"; +import { resolve } from "node:path"; -import { resolvePathInWorkspace } from "../src/tools/path.js"; - -describe("resolvePathInWorkspace", () => { - const root = join("/tmp", "uwf-workspace"); - - test("resolves relative paths inside root", () => { - const resolved = resolvePathInWorkspace(root, "src/foo.ts"); - expect(resolved).toBe(join(root, "src/foo.ts")); +describe("resolvePath", () => { + test("resolves relative paths against cwd", () => { + const root = "/workspace/project"; + const resolved = resolvePath(root, "src/foo.ts"); + expect(resolved).toBe(resolve(root, "src/foo.ts")); }); - test("rejects parent traversal", () => { - expect(resolvePathInWorkspace(root, "../etc/passwd")).toBeNull(); + test("resolves absolute paths as-is", () => { + const resolved = resolvePath("/workspace", "/etc/hosts"); + expect(resolved).toBe("/etc/hosts"); + }); + + test("resolves parent traversal normally", () => { + const resolved = resolvePath("/workspace/project", "../other/file.ts"); + expect(resolved).toBe(resolve("/workspace/project", "../other/file.ts")); }); }); diff --git a/packages/workflow-agent-builtin/src/tools/index.ts b/packages/workflow-agent-builtin/src/tools/index.ts index 87fe1c1..c2e62a4 100644 --- a/packages/workflow-agent-builtin/src/tools/index.ts +++ b/packages/workflow-agent-builtin/src/tools/index.ts @@ -5,7 +5,7 @@ import { runCommandTool } from "./run-command.js"; import type { BuiltinTool, ToolContext } from "./types.js"; import { writeFileTool } from "./write-file.js"; -export { resolvePathInWorkspace } from "./path.js"; +export { resolvePath } from "./path.js"; export type { BuiltinTool, ToolContext } from "./types.js"; const BUILTIN_TOOLS: BuiltinTool[] = [readFileTool, writeFileTool, runCommandTool]; diff --git a/packages/workflow-agent-builtin/src/tools/path.ts b/packages/workflow-agent-builtin/src/tools/path.ts index 6a34704..ceb8014 100644 --- a/packages/workflow-agent-builtin/src/tools/path.ts +++ b/packages/workflow-agent-builtin/src/tools/path.ts @@ -1,12 +1,6 @@ -import { isAbsolute, relative, resolve } from "node:path"; +import { resolve } from "node:path"; -/** Reject paths that escape the workspace root via `..` segments. */ -export function resolvePathInWorkspace(cwd: string, inputPath: string): string | null { - const root = resolve(cwd); - const target = resolve(root, inputPath); - const rel = relative(root, target); - if (rel.startsWith("..") || isAbsolute(rel)) { - return null; - } - return target; +/** Resolve a path relative to the working directory. */ +export function resolvePath(cwd: string, inputPath: string): string { + return resolve(cwd, inputPath); } diff --git a/packages/workflow-agent-builtin/src/tools/read-file.ts b/packages/workflow-agent-builtin/src/tools/read-file.ts index 79178b1..b3683e7 100644 --- a/packages/workflow-agent-builtin/src/tools/read-file.ts +++ b/packages/workflow-agent-builtin/src/tools/read-file.ts @@ -1,5 +1,5 @@ import { readFile, stat } from "node:fs/promises"; -import { resolvePathInWorkspace } from "./path.js"; +import { resolvePath } from "./path.js"; import type { BuiltinTool } from "./types.js"; const MAX_READ_BYTES = 512 * 1024; @@ -23,10 +23,7 @@ export const readFileTool: BuiltinTool = { if (!isRecord(args) || typeof args.path !== "string") { return "Error: path must be a string"; } - const resolved = resolvePathInWorkspace(ctx.cwd, args.path); - if (resolved === null) { - return "Error: path escapes workspace root"; - } + const resolved = resolvePath(ctx.cwd, args.path); try { const info = await stat(resolved); if (!info.isFile()) { diff --git a/packages/workflow-agent-builtin/src/tools/run-command.ts b/packages/workflow-agent-builtin/src/tools/run-command.ts index e5e7289..2f34843 100644 --- a/packages/workflow-agent-builtin/src/tools/run-command.ts +++ b/packages/workflow-agent-builtin/src/tools/run-command.ts @@ -1,5 +1,5 @@ import { spawn } from "node:child_process"; -import { resolvePathInWorkspace } from "./path.js"; +import { resolvePath } from "./path.js"; import type { BuiltinTool } from "./types.js"; const COMMAND_TIMEOUT_MS = 60_000; @@ -57,7 +57,7 @@ function runShell( export const runCommandTool: BuiltinTool = { name: "run_command", description: - "Run a shell command in the workspace. Requires UWF_BUILTIN_ALLOW_SHELL=1. Output is truncated.", + "Run a shell command. Output is truncated to 32KB.", parameters: { type: "object", required: ["command"], @@ -71,9 +71,6 @@ export const runCommandTool: BuiltinTool = { additionalProperties: false, }, execute: async (args, ctx) => { - if (process.env.UWF_BUILTIN_ALLOW_SHELL !== "1") { - return "Error: run_command disabled. Set UWF_BUILTIN_ALLOW_SHELL=1 to enable."; - } if (!isRecord(args) || typeof args.command !== "string") { return "Error: command must be a string"; } @@ -82,11 +79,7 @@ export const runCommandTool: BuiltinTool = { if (typeof args.cwd !== "string") { return "Error: cwd must be a string"; } - const resolved = resolvePathInWorkspace(ctx.cwd, args.cwd); - if (resolved === null) { - return "Error: cwd escapes workspace root"; - } - workDir = resolved; + workDir = resolvePath(ctx.cwd, args.cwd); } try { const { stdout, stderr, code } = await runShell(args.command, workDir); diff --git a/packages/workflow-agent-builtin/src/tools/write-file.ts b/packages/workflow-agent-builtin/src/tools/write-file.ts index e34b5df..445f665 100644 --- a/packages/workflow-agent-builtin/src/tools/write-file.ts +++ b/packages/workflow-agent-builtin/src/tools/write-file.ts @@ -1,6 +1,6 @@ import { mkdir, writeFile } from "node:fs/promises"; import { dirname } from "node:path"; -import { resolvePathInWorkspace } from "./path.js"; +import { resolvePath } from "./path.js"; import type { BuiltinTool } from "./types.js"; function isRecord(value: unknown): value is Record { @@ -23,10 +23,7 @@ export const writeFileTool: BuiltinTool = { if (!isRecord(args) || typeof args.path !== "string" || typeof args.content !== "string") { return "Error: path and content must be strings"; } - const resolved = resolvePathInWorkspace(ctx.cwd, args.path); - if (resolved === null) { - return "Error: path escapes workspace root"; - } + const resolved = resolvePath(ctx.cwd, args.path); try { await mkdir(dirname(resolved), { recursive: true }); await writeFile(resolved, args.content, "utf8");