@@ -318,21 +318,36 @@ def _check_working_dir_restriction(
318318 # For relative paths, resolve them relative to working_dir, not caller's cwd
319319 if arg .startswith (("/" , "~" )):
320320 resolved_path = str (Path (arg ).expanduser ().resolve ())
321+ is_relative = False
321322 else :
322323 resolved_path = str (
323324 Path (working_dir , arg ).expanduser ().resolve (strict = False )
324325 )
326+ is_relative = True
327+
325328 # Check if path is allowed: in working_dir, /tmp, or /private/tmp (macOS)
326329 is_in_tmp = resolved_path .startswith (("/tmp" , "/private/tmp" ))
327330 is_in_working_dir = (
328331 resolved_path == allowed_path_str
329332 or resolved_path .startswith (allowed_path_str_prefix )
330333 )
331- if not (is_in_tmp or is_in_working_dir ):
332- return (
333- True ,
334- f"Path '{ arg } { working_dir } ,
335- )
334+
335+ # For relative paths: must be within working_dir (not just /tmp)
336+ # For absolute paths: can be in working_dir OR /tmp
337+ if is_relative :
338+ # Relative paths must stay within working_dir
339+ if not is_in_working_dir :
340+ return (
341+ True ,
342+ f"Path '{ arg } { working_dir } ,
343+ )
344+ else :
345+ # Absolute paths can be in working_dir or /tmp
346+ if not (is_in_tmp or is_in_working_dir ):
347+ return (
348+ True ,
349+ f"Path '{ arg } { working_dir } ,
350+ )
336351 except Exception :
337352 # If we can't resolve, skip (might be a flag value)
338353 pass
0 commit comments