2026-03-11 14:42:50 -07:00
|
|
|
/**
|
|
|
|
|
* @license
|
2026-03-13 14:11:51 -07:00
|
|
|
* Copyright 2026 Google LLC
|
2026-03-11 14:42:50 -07:00
|
|
|
* SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
*/
|
|
|
|
|
|
2026-03-24 21:23:51 -04:00
|
|
|
import fs from 'node:fs/promises';
|
2026-03-23 11:43:58 -04:00
|
|
|
import os from 'node:os';
|
|
|
|
|
import path from 'node:path';
|
2026-03-25 17:54:45 +00:00
|
|
|
import {
|
|
|
|
|
isKnownSafeCommand as isMacSafeCommand,
|
|
|
|
|
isDangerousCommand as isMacDangerousCommand,
|
2026-03-25 18:58:45 -07:00
|
|
|
} from '../sandbox/utils/commandSafety.js';
|
2026-03-25 17:54:45 +00:00
|
|
|
import {
|
|
|
|
|
isKnownSafeCommand as isWindowsSafeCommand,
|
|
|
|
|
isDangerousCommand as isWindowsDangerousCommand,
|
|
|
|
|
} from '../sandbox/windows/commandSafety.js';
|
2026-03-24 21:23:51 -04:00
|
|
|
import { isNodeError } from '../utils/errors.js';
|
2026-03-11 14:42:50 -07:00
|
|
|
import {
|
|
|
|
|
sanitizeEnvironment,
|
2026-03-16 21:34:48 +00:00
|
|
|
getSecureSanitizationConfig,
|
2026-03-11 14:42:50 -07:00
|
|
|
type EnvironmentSanitizationConfig,
|
|
|
|
|
} from './environmentSanitization.js';
|
2026-03-26 15:10:15 -07:00
|
|
|
import type { ShellExecutionResult } from './shellExecutionService.js';
|
2026-03-27 12:57:26 -04:00
|
|
|
import type { SandboxPolicyManager } from '../policy/sandboxPolicyManager.js';
|
2026-03-23 21:48:13 -07:00
|
|
|
export interface SandboxPermissions {
|
|
|
|
|
/** Filesystem permissions. */
|
|
|
|
|
fileSystem?: {
|
|
|
|
|
/** Paths that should be readable by the command. */
|
|
|
|
|
read?: string[];
|
|
|
|
|
/** Paths that should be writable by the command. */
|
|
|
|
|
write?: string[];
|
|
|
|
|
};
|
|
|
|
|
/** Whether the command should have network access. */
|
|
|
|
|
network?: boolean;
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-23 11:43:58 -04:00
|
|
|
/**
|
|
|
|
|
* Security boundaries and permissions applied to a specific sandboxed execution.
|
|
|
|
|
*/
|
|
|
|
|
export interface ExecutionPolicy {
|
|
|
|
|
/** Additional absolute paths to grant full read/write access to. */
|
|
|
|
|
allowedPaths?: string[];
|
|
|
|
|
/** Whether network access is allowed. */
|
|
|
|
|
networkAccess?: boolean;
|
|
|
|
|
/** Rules for scrubbing sensitive environment variables. */
|
|
|
|
|
sanitizationConfig?: Partial<EnvironmentSanitizationConfig>;
|
2026-03-23 21:48:13 -07:00
|
|
|
/** Additional granular permissions to grant to this command. */
|
|
|
|
|
additionalPermissions?: SandboxPermissions;
|
2026-03-23 11:43:58 -04:00
|
|
|
}
|
|
|
|
|
|
2026-03-27 12:57:26 -04:00
|
|
|
/**
|
|
|
|
|
* Configuration for the sandbox mode behavior.
|
|
|
|
|
*/
|
|
|
|
|
export interface SandboxModeConfig {
|
|
|
|
|
readonly?: boolean;
|
|
|
|
|
network?: boolean;
|
|
|
|
|
approvedTools?: string[];
|
|
|
|
|
allowOverrides?: boolean;
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-23 11:43:58 -04:00
|
|
|
/**
|
|
|
|
|
* Global configuration options used to initialize a SandboxManager.
|
|
|
|
|
*/
|
|
|
|
|
export interface GlobalSandboxOptions {
|
2026-04-01 12:27:55 -04:00
|
|
|
/** The absolute path to the primary workspace directory, granted full read/write access. */
|
2026-03-23 11:43:58 -04:00
|
|
|
workspace: string;
|
2026-03-31 22:06:50 +00:00
|
|
|
/** Absolute paths to explicitly include in the workspace context. */
|
|
|
|
|
includeDirectories?: string[];
|
2026-04-01 12:27:55 -04:00
|
|
|
/** An optional asynchronous resolver function for paths that should be explicitly denied. */
|
|
|
|
|
forbiddenPaths?: () => Promise<string[]>;
|
2026-03-27 12:57:26 -04:00
|
|
|
/** The current sandbox mode behavior from config. */
|
|
|
|
|
modeConfig?: SandboxModeConfig;
|
|
|
|
|
/** The policy manager for persistent approvals. */
|
|
|
|
|
policyManager?: SandboxPolicyManager;
|
2026-03-23 11:43:58 -04:00
|
|
|
}
|
2026-03-11 14:42:50 -07:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Request for preparing a command to run in a sandbox.
|
|
|
|
|
*/
|
|
|
|
|
export interface SandboxRequest {
|
|
|
|
|
/** The program to execute. */
|
|
|
|
|
command: string;
|
|
|
|
|
/** Arguments for the program. */
|
|
|
|
|
args: string[];
|
|
|
|
|
/** The working directory. */
|
|
|
|
|
cwd: string;
|
|
|
|
|
/** Environment variables to be passed to the program. */
|
|
|
|
|
env: NodeJS.ProcessEnv;
|
2026-03-23 11:43:58 -04:00
|
|
|
/** Policy to use for this request. */
|
|
|
|
|
policy?: ExecutionPolicy;
|
2026-03-11 14:42:50 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* A command that has been prepared for sandboxed execution.
|
|
|
|
|
*/
|
|
|
|
|
export interface SandboxedCommand {
|
|
|
|
|
/** The program or wrapper to execute. */
|
|
|
|
|
program: string;
|
|
|
|
|
/** Final arguments for the program. */
|
|
|
|
|
args: string[];
|
|
|
|
|
/** Sanitized environment variables. */
|
|
|
|
|
env: NodeJS.ProcessEnv;
|
2026-03-13 14:11:51 -07:00
|
|
|
/** The working directory. */
|
|
|
|
|
cwd?: string;
|
2026-03-31 13:35:13 -04:00
|
|
|
/** An optional cleanup function to be called after the command terminates. */
|
|
|
|
|
cleanup?: () => void;
|
2026-03-11 14:42:50 -07:00
|
|
|
}
|
|
|
|
|
|
2026-03-26 15:10:15 -07:00
|
|
|
/**
|
|
|
|
|
* A structured result from parsing sandbox denials.
|
|
|
|
|
*/
|
|
|
|
|
export interface ParsedSandboxDenial {
|
|
|
|
|
/** If the denial is related to file system access, these are the paths that were blocked. */
|
|
|
|
|
filePaths?: string[];
|
|
|
|
|
/** If the denial is related to network access. */
|
|
|
|
|
network?: boolean;
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-11 14:42:50 -07:00
|
|
|
/**
|
|
|
|
|
* Interface for a service that prepares commands for sandboxed execution.
|
|
|
|
|
*/
|
|
|
|
|
export interface SandboxManager {
|
|
|
|
|
/**
|
|
|
|
|
* Prepares a command to run in a sandbox, including environment sanitization.
|
|
|
|
|
*/
|
|
|
|
|
prepareCommand(req: SandboxRequest): Promise<SandboxedCommand>;
|
2026-03-25 17:54:45 +00:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Checks if a command with its arguments is known to be safe for this sandbox.
|
|
|
|
|
*/
|
|
|
|
|
isKnownSafeCommand(args: string[]): boolean;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Checks if a command with its arguments is explicitly known to be dangerous for this sandbox.
|
|
|
|
|
*/
|
|
|
|
|
isDangerousCommand(args: string[]): boolean;
|
2026-03-26 15:10:15 -07:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Parses the output of a command to detect sandbox denials.
|
|
|
|
|
*/
|
|
|
|
|
parseDenials(result: ShellExecutionResult): ParsedSandboxDenial | undefined;
|
2026-03-11 14:42:50 -07:00
|
|
|
}
|
|
|
|
|
|
2026-03-24 04:04:17 +00:00
|
|
|
/**
|
|
|
|
|
* Files that represent the governance or "constitution" of the repository
|
|
|
|
|
* and should be write-protected in any sandbox.
|
|
|
|
|
*/
|
|
|
|
|
export const GOVERNANCE_FILES = [
|
|
|
|
|
{ path: '.gitignore', isDirectory: false },
|
|
|
|
|
{ path: '.geminiignore', isDirectory: false },
|
|
|
|
|
{ path: '.git', isDirectory: true },
|
|
|
|
|
] as const;
|
|
|
|
|
|
2026-03-26 20:35:21 +00:00
|
|
|
/**
|
|
|
|
|
* Files that contain sensitive secrets or credentials and should be
|
|
|
|
|
* completely hidden (deny read/write) in any sandbox.
|
|
|
|
|
*/
|
|
|
|
|
export const SECRET_FILES = [
|
|
|
|
|
{ pattern: '.env' },
|
|
|
|
|
{ pattern: '.env.*' },
|
|
|
|
|
] as const;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Checks if a given file name matches any of the secret file patterns.
|
|
|
|
|
*/
|
|
|
|
|
export function isSecretFile(fileName: string): boolean {
|
|
|
|
|
return SECRET_FILES.some((s) => {
|
|
|
|
|
if (s.pattern.endsWith('*')) {
|
|
|
|
|
const prefix = s.pattern.slice(0, -1);
|
|
|
|
|
return fileName.startsWith(prefix);
|
|
|
|
|
}
|
|
|
|
|
return fileName === s.pattern;
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Returns arguments for the Linux 'find' command to locate secret files.
|
|
|
|
|
*/
|
|
|
|
|
export function getSecretFileFindArgs(): string[] {
|
|
|
|
|
const args: string[] = ['('];
|
|
|
|
|
SECRET_FILES.forEach((s, i) => {
|
|
|
|
|
if (i > 0) args.push('-o');
|
|
|
|
|
args.push('-name', s.pattern);
|
|
|
|
|
});
|
|
|
|
|
args.push(')');
|
|
|
|
|
return args;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Finds all secret files in a directory up to a certain depth.
|
|
|
|
|
* Default is shallow scan (depth 1) for performance.
|
|
|
|
|
*/
|
|
|
|
|
export async function findSecretFiles(
|
|
|
|
|
baseDir: string,
|
|
|
|
|
maxDepth = 1,
|
|
|
|
|
): Promise<string[]> {
|
|
|
|
|
const secrets: string[] = [];
|
|
|
|
|
const skipDirs = new Set([
|
|
|
|
|
'node_modules',
|
|
|
|
|
'.git',
|
|
|
|
|
'.venv',
|
|
|
|
|
'__pycache__',
|
|
|
|
|
'dist',
|
|
|
|
|
'build',
|
|
|
|
|
'.next',
|
|
|
|
|
'.idea',
|
|
|
|
|
'.vscode',
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
async function walk(dir: string, depth: number) {
|
|
|
|
|
if (depth > maxDepth) return;
|
|
|
|
|
try {
|
|
|
|
|
const entries = await fs.readdir(dir, { withFileTypes: true });
|
|
|
|
|
for (const entry of entries) {
|
|
|
|
|
const fullPath = path.join(dir, entry.name);
|
|
|
|
|
if (entry.isDirectory()) {
|
|
|
|
|
if (!skipDirs.has(entry.name)) {
|
|
|
|
|
await walk(fullPath, depth + 1);
|
|
|
|
|
}
|
|
|
|
|
} else if (entry.isFile()) {
|
|
|
|
|
if (isSecretFile(entry.name)) {
|
|
|
|
|
secrets.push(fullPath);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
} catch {
|
|
|
|
|
// Ignore read errors
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
await walk(baseDir, 1);
|
|
|
|
|
return secrets;
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-11 14:42:50 -07:00
|
|
|
/**
|
|
|
|
|
* A no-op implementation of SandboxManager that silently passes commands
|
|
|
|
|
* through while applying environment sanitization.
|
|
|
|
|
*/
|
|
|
|
|
export class NoopSandboxManager implements SandboxManager {
|
|
|
|
|
/**
|
|
|
|
|
* Prepares a command by sanitizing the environment and passing through
|
|
|
|
|
* the original program and arguments.
|
|
|
|
|
*/
|
|
|
|
|
async prepareCommand(req: SandboxRequest): Promise<SandboxedCommand> {
|
2026-03-16 21:34:48 +00:00
|
|
|
const sanitizationConfig = getSecureSanitizationConfig(
|
2026-03-23 11:43:58 -04:00
|
|
|
req.policy?.sanitizationConfig,
|
2026-03-16 21:34:48 +00:00
|
|
|
);
|
2026-03-11 14:42:50 -07:00
|
|
|
|
|
|
|
|
const sanitizedEnv = sanitizeEnvironment(req.env, sanitizationConfig);
|
|
|
|
|
|
|
|
|
|
return {
|
|
|
|
|
program: req.command,
|
|
|
|
|
args: req.args,
|
|
|
|
|
env: sanitizedEnv,
|
|
|
|
|
};
|
|
|
|
|
}
|
2026-03-25 17:54:45 +00:00
|
|
|
|
|
|
|
|
isKnownSafeCommand(args: string[]): boolean {
|
|
|
|
|
return os.platform() === 'win32'
|
|
|
|
|
? isWindowsSafeCommand(args)
|
|
|
|
|
: isMacSafeCommand(args);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
isDangerousCommand(args: string[]): boolean {
|
|
|
|
|
return os.platform() === 'win32'
|
|
|
|
|
? isWindowsDangerousCommand(args)
|
|
|
|
|
: isMacDangerousCommand(args);
|
|
|
|
|
}
|
2026-03-26 15:10:15 -07:00
|
|
|
|
|
|
|
|
parseDenials(): undefined {
|
|
|
|
|
return undefined;
|
|
|
|
|
}
|
2026-03-11 14:42:50 -07:00
|
|
|
}
|
2026-03-13 14:11:51 -07:00
|
|
|
|
|
|
|
|
/**
|
2026-03-26 15:10:15 -07:00
|
|
|
* A SandboxManager implementation that just runs locally (no sandboxing yet).
|
2026-03-13 14:11:51 -07:00
|
|
|
*/
|
|
|
|
|
export class LocalSandboxManager implements SandboxManager {
|
|
|
|
|
async prepareCommand(_req: SandboxRequest): Promise<SandboxedCommand> {
|
|
|
|
|
throw new Error('Tool sandboxing is not yet implemented.');
|
|
|
|
|
}
|
2026-03-25 17:54:45 +00:00
|
|
|
|
|
|
|
|
isKnownSafeCommand(_args: string[]): boolean {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
isDangerousCommand(_args: string[]): boolean {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
2026-03-26 15:10:15 -07:00
|
|
|
|
|
|
|
|
parseDenials(): undefined {
|
|
|
|
|
return undefined;
|
|
|
|
|
}
|
2026-03-13 14:11:51 -07:00
|
|
|
}
|
|
|
|
|
|
2026-04-01 12:27:55 -04:00
|
|
|
/**
|
|
|
|
|
* Resolves sanitized allowed and forbidden paths for a request.
|
|
|
|
|
* Filters the workspace from allowed paths and ensures forbidden paths take precedence.
|
|
|
|
|
*/
|
|
|
|
|
export async function resolveSandboxPaths(
|
|
|
|
|
options: GlobalSandboxOptions,
|
|
|
|
|
req: SandboxRequest,
|
|
|
|
|
): Promise<{
|
|
|
|
|
allowed: string[];
|
|
|
|
|
forbidden: string[];
|
|
|
|
|
}> {
|
|
|
|
|
const forbidden = sanitizePaths(await options.forbiddenPaths?.());
|
|
|
|
|
const allowed = sanitizePaths(req.policy?.allowedPaths);
|
|
|
|
|
|
|
|
|
|
const workspaceIdentity = getPathIdentity(options.workspace);
|
|
|
|
|
const forbiddenIdentities = new Set(forbidden.map(getPathIdentity));
|
|
|
|
|
|
|
|
|
|
const filteredAllowed = allowed.filter((p) => {
|
|
|
|
|
const identity = getPathIdentity(p);
|
|
|
|
|
return identity !== workspaceIdentity && !forbiddenIdentities.has(identity);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
return {
|
|
|
|
|
allowed: filteredAllowed,
|
|
|
|
|
forbidden,
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-23 11:43:58 -04:00
|
|
|
/**
|
|
|
|
|
* Sanitizes an array of paths by deduplicating them and ensuring they are absolute.
|
2026-04-01 12:27:55 -04:00
|
|
|
* Always returns an array (empty if input is null/undefined).
|
2026-03-23 11:43:58 -04:00
|
|
|
*/
|
2026-04-01 12:27:55 -04:00
|
|
|
export function sanitizePaths(paths?: string[] | null): string[] {
|
|
|
|
|
if (!paths || paths.length === 0) return [];
|
2026-03-23 11:43:58 -04:00
|
|
|
|
|
|
|
|
const uniquePathsMap = new Map<string, string>();
|
|
|
|
|
for (const p of paths) {
|
|
|
|
|
if (!path.isAbsolute(p)) {
|
|
|
|
|
throw new Error(`Sandbox path must be absolute: ${p}`);
|
|
|
|
|
}
|
|
|
|
|
|
2026-04-01 12:27:55 -04:00
|
|
|
const key = getPathIdentity(p);
|
2026-03-23 11:43:58 -04:00
|
|
|
if (!uniquePathsMap.has(key)) {
|
|
|
|
|
uniquePathsMap.set(key, p);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return Array.from(uniquePathsMap.values());
|
|
|
|
|
}
|
2026-03-24 21:23:51 -04:00
|
|
|
|
2026-04-01 12:27:55 -04:00
|
|
|
/** Returns a normalized identity for a path, stripping trailing slashes and handling case sensitivity. */
|
|
|
|
|
export function getPathIdentity(p: string): string {
|
|
|
|
|
let norm = path.normalize(p);
|
|
|
|
|
|
|
|
|
|
// Strip trailing slashes (except for root paths)
|
|
|
|
|
if (norm.length > 1 && (norm.endsWith('/') || norm.endsWith('\\'))) {
|
|
|
|
|
norm = norm.slice(0, -1);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const platform = os.platform();
|
|
|
|
|
const isCaseInsensitive = platform === 'win32' || platform === 'darwin';
|
|
|
|
|
return isCaseInsensitive ? norm.toLowerCase() : norm;
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-24 21:23:51 -04:00
|
|
|
/**
|
|
|
|
|
* Resolves symlinks for a given path to prevent sandbox escapes.
|
|
|
|
|
* If a file does not exist (ENOENT), it recursively resolves the parent directory.
|
|
|
|
|
* Other errors (e.g. EACCES) are re-thrown.
|
|
|
|
|
*/
|
|
|
|
|
export async function tryRealpath(p: string): Promise<string> {
|
|
|
|
|
try {
|
|
|
|
|
return await fs.realpath(p);
|
|
|
|
|
} catch (e) {
|
|
|
|
|
if (isNodeError(e) && e.code === 'ENOENT') {
|
|
|
|
|
const parentDir = path.dirname(p);
|
|
|
|
|
if (parentDir === p) {
|
|
|
|
|
return p;
|
|
|
|
|
}
|
|
|
|
|
return path.join(await tryRealpath(parentDir), path.basename(p));
|
|
|
|
|
}
|
|
|
|
|
throw e;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-19 15:25:22 -07:00
|
|
|
export { createSandboxManager } from './sandboxManagerFactory.js';
|
