fix

Author: seratch

src/agents/sandbox/entries/base.py

@@ -41,6 +41,16 @@ def resolve_workspace_path(
             raise InvalidManifestPathError(rel=rel_path.as_posix(), reason="absolute")
         rel_path = PurePosixPath(posixpath.normpath(rel_path.as_posix()))
         root_path = PurePosixPath(posixpath.normpath(root_path.as_posix()))
+        host_root = Path(root_path.as_posix())
+        if _path_exists(host_root):
+            try:
+                Path(rel_path.as_posix()).resolve(strict=False).relative_to(
+                    host_root.resolve(strict=False)
+                )
+            except ValueError as exc:
+                raise InvalidManifestPathError(
+                    rel=rel_path.as_posix(), reason="absolute", cause=exc
+                ) from exc
         try:
             rel_path.relative_to(root_path)
         except ValueError as exc:
@@ -63,6 +73,13 @@ def resolve_workspace_path(
     return posix_path_as_path(resolved)
 
 
+def _path_exists(path: Path) -> bool:
+    try:
+        return path.exists()
+    except OSError:
+        return False
+
+
 class BaseEntry(BaseModel, abc.ABC):
     type: str
     _subclass_registry: ClassVar[dict[str, builtins.type[BaseEntry]]] = {}

src/agents/sandbox/workspace_paths.py

@@ -64,6 +64,11 @@ def sandbox_path_str(path: str | PurePath) -> str:
     return coerce_posix_path(path).as_posix()
 
 
+def _native_path_from_windows_absolute(path: PureWindowsPath) -> Path | None:
+    native_path = Path(path)
+    return native_path if native_path.is_absolute() else None
+
+
 class SandboxPathGrant(BaseModel):
     """Extra absolute path access outside the sandbox workspace."""
 
@@ -83,16 +88,14 @@ def _coerce_path(cls, value: object) -> str:
     @field_validator("path")
     @classmethod
     def _validate_path(cls, value: str) -> str:
+        if windows_absolute_path(value) is not None:
+            raise ValueError("sandbox path grant path must be POSIX absolute")
+
         path = PurePosixPath(posixpath.normpath(value))
         if path.is_absolute():
             _raise_if_filesystem_root(path)
             return path.as_posix()
 
-        windows_path = PureWindowsPath(value)
-        if windows_path.is_absolute():
-            _raise_if_filesystem_root(windows_path)
-            return windows_path.as_posix()
-
         raise ValueError("sandbox path grant path must be absolute")
 
 
@@ -120,8 +123,9 @@ def absolute_workspace_path(self, path: str | PurePath) -> Path:
         """
 
         if (windows_path := windows_absolute_path(path)) is not None:
-            if self._root_is_existing_host_path:
-                result, _grant = self._resolved_host_path_and_grant(Path(windows_path))
+            native_path = _native_path_from_windows_absolute(windows_path)
+            if self._root_is_existing_host_path and native_path is not None:
+                result, _grant = self._resolved_host_path_and_grant(native_path)
                 return result
             raise self._invalid_path_error(windows_path)
         normalized = self._absolute_workspace_posix_path(coerce_posix_path(path))
@@ -161,12 +165,18 @@ def normalize_path(
         """
 
         if resolve_symlinks:
-            original = Path(path)
+            if (windows_path := windows_absolute_path(path)) is not None:
+                original = _native_path_from_windows_absolute(windows_path)
+                if original is None:
+                    raise self._invalid_path_error(windows_path)
+            else:
+                original = Path(path)
             result, grant = self._resolved_host_path_and_grant(original)
         else:
             if (windows_path := windows_absolute_path(path)) is not None:
-                if self._root_is_existing_host_path:
-                    result, grant = self._resolved_host_path_and_grant(Path(windows_path))
+                native_path = _native_path_from_windows_absolute(windows_path)
+                if self._root_is_existing_host_path and native_path is not None:
+                    result, grant = self._resolved_host_path_and_grant(native_path)
                     if for_write:
                         self._raise_if_read_only_grant(result, grant)
                     return result

tests/sandbox/test_entries.py

@@ -122,6 +122,32 @@ def test_resolve_workspace_path_rejects_absolute_escape_after_normalization() ->
     assert exc_info.value.context == {"rel": "/etc/passwd", "reason": "absolute"}
 
 
+def test_resolve_workspace_path_rejects_absolute_symlink_escape_for_host_root(
+    tmp_path: Path,
+) -> None:
+    root = tmp_path / "workspace"
+    outside = tmp_path / "outside"
+    root.mkdir()
+    outside.mkdir()
+    link = root / "link"
+    try:
+        os.symlink(outside, link, target_is_directory=True)
+    except (NotImplementedError, OSError) as exc:
+        pytest.skip(f"symlink unavailable: {exc}")
+
+    escaped = link / "secret.txt"
+
+    with pytest.raises(InvalidManifestPathError) as exc_info:
+        resolve_workspace_path(
+            root,
+            escaped,
+            allow_absolute_within_root=True,
+        )
+
+    assert str(exc_info.value) == f"manifest path must be relative: {escaped.as_posix()}"
+    assert exc_info.value.context == {"rel": escaped.as_posix(), "reason": "absolute"}
+
+
 @pytest.mark.asyncio
 async def test_base_sandbox_session_uses_current_working_directory_for_local_file_sources(
     monkeypatch: pytest.MonkeyPatch,

tests/sandbox/test_workspace_paths.py

@@ -303,6 +303,29 @@ def test_windows_drive_absolute_path_is_rejected_before_posix_coercion() -> None
     assert exc_info.value.context == {"rel": "C:/tmp/secret.txt", "reason": "absolute"}
 
 
+def test_existing_host_root_rejects_windows_drive_absolute_paths(tmp_path: Path) -> None:
+    workspace = tmp_path / "workspace"
+    workspace.mkdir()
+    policy = WorkspacePathPolicy(root=workspace)
+    methods: tuple[PathPolicyMethod, ...] = (
+        lambda policy, path: policy.absolute_workspace_path(path),
+        lambda policy, path: policy.normalize_path(path),
+        lambda policy, path: policy.normalize_path(path, resolve_symlinks=True),
+    )
+
+    for method in methods:
+        for path in (
+            PureWindowsPath("C:/tmp/secret.txt"),
+            "C:\\tmp\\secret.txt",
+            coerce_posix_path(PureWindowsPath("C:/tmp/secret.txt")),
+        ):
+            with pytest.raises(InvalidManifestPathError) as exc_info:
+                method(policy, path)
+
+            assert str(exc_info.value) == "manifest path must be relative: C:/tmp/secret.txt"
+            assert exc_info.value.context == {"rel": "C:/tmp/secret.txt", "reason": "absolute"}
+
+
 def test_relative_path_rejects_windows_drive_absolute_path_for_host_root(
     tmp_path: Path,
 ) -> None:
@@ -341,6 +364,29 @@ def test_sandbox_extra_path_grant_rules_use_posix_paths() -> None:
     )
 
 
+def test_extra_path_grant_rejects_windows_drive_absolute_path() -> None:
+    for path in (
+        PureWindowsPath("C:/tmp"),
+        "C:\\tmp",
+        coerce_posix_path(PureWindowsPath("C:/tmp")),
+    ):
+        with pytest.raises(ValidationError) as exc_info:
+            SandboxPathGrant(path=cast(Any, path))
+
+        errors = exc_info.value.errors(include_url=False)
+        assert len(errors) == 1
+        error = dict(errors[0])
+        ctx = cast(dict[str, Any], error["ctx"])
+        error["ctx"] = {"error": str(ctx["error"])}
+        assert error == {
+            "type": "value_error",
+            "loc": ("path",),
+            "msg": "Value error, sandbox path grant path must be POSIX absolute",
+            "input": path,
+            "ctx": {"error": "sandbox path grant path must be POSIX absolute"},
+        }
+
+
 def test_manifest_serializes_extra_path_grants() -> None:
     manifest = Manifest(
         extra_path_grants=(