fix(security): confine send_file reads to /workspace (CVE-2026-29611)#2799
Open
sturdy4days wants to merge 2 commits into
Open
fix(security): confine send_file reads to /workspace (CVE-2026-29611)#2799sturdy4days wants to merge 2 commits into
sturdy4days wants to merge 2 commits into
Conversation
…isplay name send_file accepts an absolute `path` and copies it into the outbox after only an existence check, with no root restriction — a prompt-injected agent can exfiltrate any container-readable file (credential state, /workspace/extra/* mounts). Reported as CVE-2026-29611 (nanocoai#2760), High, unpatched. Confine the resolved source to /workspace, and basename the display name so a `..`-laden filename can't path.join() its way out of the outbox and overwrite an active skill (instruction injection on the next spawn). Closes nanocoai#2760
This was referenced Jun 18, 2026
This was referenced Jun 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
send_fileaccepts an absolutepathand copies the file into the outbox after only an existence check — no root restriction, no canonicalization. A prompt-injected or compromised agent can read any container-visible file (credential state, files under/workspace/extra/*mounts) and exfiltrate it through the normal attachment path.Reported as CVE-2026-29611 / #2760 (High,
<= 2.0.64, unpatched).How it works
/workspace— an absolute path outside it is rejected.basename()the display name as well:path.join(outboxDir, filename)resolves.., so a craftedfilenamecould otherwise write outside the outbox and overwrite an active skill (instruction injection on the next spawn). This closes the write-side of the same path-handling flaw.Legitimate sends are unaffected — agent files live under
/workspace/agent, inbox/outbox, and/workspace/extra/*, all within/workspace.How it was tested
Container typecheck passes. The identical change runs in a downstream fork with the existing
core.test.tsplus the full container suite (236) green.Closes #2760