opencode icon indicating copy to clipboard operation
opencode copied to clipboard
Published 1 week ago verified publisher icon anomalyco

fix(tools): sandbox glob and grep to project directory

Open androolloyd opened this issue 1 week ago • 2 comments

Summary

Adds path containment checks to glob and grep tools to prevent searches outside the project directory.

Problem

When an AI agent provides a path parameter that resolves outside the project directory (e.g., ~, /Users/username, or ../), the glob and grep tools would happily traverse the entire filesystem. On macOS, this triggers permission dialogs for protected directories like:

  • ~/Library
  • ~/Music
  • ~/Photos
  • ~/Pictures

This is both a security concern and a poor UX (permission dialog spam).

Solution

Mirror the existing sandboxing pattern from bash.ts (line 88) which uses Filesystem.contains() to validate paths:

if (!Filesystem.contains(Instance.directory, searchPath)) {
  throw new Error(`Search path "..." is outside the project directory...`)
}

Changes

  • glob.ts: Add Filesystem import and containment check after path resolution
  • grep.ts: Add path import, Filesystem import, resolve relative paths, and add containment check

Testing

Verified the logic correctly:

  • ✅ Allows searches within project directory
  • ✅ Allows searches in subdirectories
  • ✅ Blocks $HOME directory
  • ✅ Blocks ../ escape attempts
  • ✅ Blocks absolute paths outside project
  • ✅ Blocks protected macOS directories

Related

This fixes the same class of issue that bash tool already handles, bringing glob/grep tools to parity.

androolloyd avatar Jan 15 '26 22:01 androolloyd

Thanks for your contribution!

This PR doesn't have a linked issue. All PRs must reference an existing issue.

Please:

  1. Open an issue describing the bug/feature (if one doesn't exist)
  2. Add Fixes #<number> or Closes #<number> to this PR description

See CONTRIBUTING.md for details.

github-actions[bot] avatar Jan 15 '26 22:01 github-actions[bot]

The following comment was made by an LLM, it may be inaccurate:

I found several related PRs that address similar path containment and security concerns:

Related PRs:

  1. PR #8727 - fix(security): prevent path traversal via symlinks in File.read and File.list

    • Directly related: addresses path traversal security using similar containment patterns

  2. PR #8316 - fix: prevent path traversal via symlinks and cross-drive paths

    • Related: part of the broader effort to prevent path traversal vulnerabilities

  3. PR #7515 - fix: address external_directory gaps and improve symlink checks

    • Related: addresses gaps in directory security checks

  4. PR #6403 - fix: prevent symlink escape in Filesystem.contains

    • Related: improves the underlying Filesystem.contains() method that this PR uses

These are not duplicates of PR #8754, but rather part of a coordinated effort to secure path handling across multiple tools and improve the Filesystem.contains() function it relies on.

github-actions[bot] avatar Jan 15 '26 22:01 github-actions[bot]