fix(cli): cp-style sandbox download and workspace-boundary check#1318
Draft
laitingsheng wants to merge 1 commit into
Draft
fix(cli): cp-style sandbox download and workspace-boundary check#1318laitingsheng wants to merge 1 commit into
laitingsheng wants to merge 1 commit into
Conversation
`openshell sandbox download` produced a directory at the host destination instead of writing the source bytes as a regular file, and did not refuse sandbox-side paths that resolved outside `/sandbox` (only `creds.json` was rejected, by filesystem policy rather than by an explicit check). Mirrors the cp-style design from the upload-side fixes (NVIDIA#667 / NVIDIA#694 and NVIDIA#885 / NVIDIA#952): destination resolution now respects trailing slashes and existing-directory destinations, single-file sources land as regular files via a staged extraction and atomic rename, and the function delegates the SSH tar stream to a shared helper. Adds an explicit lexical workspace-boundary check on the sandbox-side source — required on the download side because filesystem policy alone is not a substitute for an explicit check when crossing the trust boundary in the leak direction. Signed-off-by: Tinson Lai <tinsonl@nvidia.com>
|
Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually. Contributors can view more details about this message here. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
openshell sandbox downloadproduced a directory at the host destination instead of writing the source bytes as a regular file, and did not refuse sandbox-side paths that resolved outside/sandbox. This brings the download path to parity with the upload-side cp-style fix shipped in #694 (#667) and #952 (#885), and adds the explicit workspace-boundary check that the upload side never needed.Related Issue
Fixes NVIDIA/NemoClaw#3345
Changes
sandbox_sync_downnow validates the sandbox-side source path with a lexical workspace-boundary check before issuing any SSH command. Paths that resolve outside/sandbox(e.g./etc/passwd,/sandbox/../etc/passwd,/sandboxed/secrets) are refused with a clear error.cp-style destination semantics:dest(ordestalready exists as a directory) → file lands at<dest>/<source-basename>.destis taken as the exact file path.dest(with an early refusal whendestexists as a non-directory).stream_sandbox_tarhelper, mirroring the upload-sidessh_tar_uploadrefactor from fix(cli): sandbox upload overwrites files instead of creating directories #694.sandbox_sync_downtakesdest: &strso trailing slashes survive (previously the value was converted to&Pathat the dispatch site, which dropped them).Testing
mise run pre-commitpassesChecklist