Allow @-includes outside of workspaces (with permission) (#18470)

2026-04-20 10:10:56 -07:00 · 2026-02-09 12:24:28 -08:00
parent e73288f25f
commit 262e8384d4
17 changed files with 250 additions and 64 deletions
@@ -1880,9 +1880,22 @@ export class Config {
   * Validates if a path is allowed and returns a detailed error message if not.
   *
   * @param absolutePath The absolute path to validate.
+   * @param checkType The type of access to check ('read' or 'write'). Defaults to 'write' for safety.
   * @returns An error message string if the path is disallowed, null otherwise.
   */
-  validatePathAccess(absolutePath: string): string | null {
+  validatePathAccess(
+    absolutePath: string,
+    checkType: 'read' | 'write' = 'write',
+  ): string | null {
+    // For read operations, check read-only paths first
+    if (checkType === 'read') {
+      if (this.getWorkspaceContext().isPathReadable(absolutePath)) {
+        return null;
+      }
+    }
+
+    // Then check standard allowed paths (Workspace + Temp)
+    // This covers 'write' checks and acts as a fallback/temp-dir check for 'read'
    if (this.isPathAllowed(absolutePath)) {
      return null;
    }
@@ -123,8 +123,10 @@ class GlobToolInvocation extends BaseToolInvocation<
          this.config.getTargetDir(),
          this.params.dir_path,
        );
-        const validationError =
-          this.config.validatePathAccess(searchDirAbsolute);
+        const validationError = this.config.validatePathAccess(
+          searchDirAbsolute,
+          'read',
+        );
        if (validationError) {
          return {
            llmContent: validationError,
@@ -318,7 +320,10 @@ export class GlobTool extends BaseDeclarativeTool<GlobToolParams, ToolResult> {
      params.dir_path || '.',
    );

-    const validationError = this.config.validatePathAccess(searchDirAbsolute);
+    const validationError = this.config.validatePathAccess(
+      searchDirAbsolute,
+      'read',
+    );
    if (validationError) {
      return validationError;
    }
@@ -123,7 +123,10 @@ class GrepToolInvocation extends BaseToolInvocation<
      let searchDirAbs: string | null = null;
      if (pathParam) {
        searchDirAbs = path.resolve(this.config.getTargetDir(), pathParam);
-        const validationError = this.config.validatePathAccess(searchDirAbs);
+        const validationError = this.config.validatePathAccess(
+          searchDirAbs,
+          'read',
+        );
        if (validationError) {
          return {
            llmContent: validationError,
@@ -623,7 +626,10 @@ export class GrepTool extends BaseDeclarativeTool<GrepToolParams, ToolResult> {
        this.config.getTargetDir(),
        params.dir_path,
      );
-      const validationError = this.config.validatePathAccess(resolvedPath);
+      const validationError = this.config.validatePathAccess(
+        resolvedPath,
+        'read',
+      );
      if (validationError) {
        return validationError;
      }
@@ -143,7 +143,10 @@ class LSToolInvocation extends BaseToolInvocation<LSToolParams, ToolResult> {
      this.params.dir_path,
    );

-    const validationError = this.config.validatePathAccess(resolvedDirPath);
+    const validationError = this.config.validatePathAccess(
+      resolvedDirPath,
+      'read',
+    );
    if (validationError) {
      return {
        llmContent: validationError,
@@ -331,7 +334,7 @@ export class LSTool extends BaseDeclarativeTool<LSToolParams, ToolResult> {
      this.config.getTargetDir(),
      params.dir_path,
    );
-    return this.config.validatePathAccess(resolvedPath);
+    return this.config.validatePathAccess(resolvedPath, 'read');
  }

  protected createInvocation(
@@ -76,7 +76,10 @@ class ReadFileToolInvocation extends BaseToolInvocation<
  }

  async execute(): Promise<ToolResult> {
-    const validationError = this.config.validatePathAccess(this.resolvedPath);
+    const validationError = this.config.validatePathAccess(
+      this.resolvedPath,
+      'read',
+    );
    if (validationError) {
      return {
        llmContent: validationError,
@@ -213,7 +216,10 @@ export class ReadFileTool extends BaseDeclarativeTool<
      params.file_path,
    );

-    const validationError = this.config.validatePathAccess(resolvedPath);
+    const validationError = this.config.validatePathAccess(
+      resolvedPath,
+      'read',
+    );
    if (validationError) {
      return validationError;
    }
@@ -221,7 +221,10 @@ ${finalExclusionPatternsForDescription

        const fullPath = path.resolve(this.config.getTargetDir(), relativePath);

-        const validationError = this.config.validatePathAccess(fullPath);
+        const validationError = this.config.validatePathAccess(
+          fullPath,
+          'read',
+        );
        if (validationError) {
          skippedFiles.push({
            path: fullPath,
@@ -164,7 +164,10 @@ class GrepToolInvocation extends BaseToolInvocation<
      const pathParam = this.params.dir_path || '.';

      const searchDirAbs = path.resolve(this.config.getTargetDir(), pathParam);
-      const validationError = this.config.validatePathAccess(searchDirAbs);
+      const validationError = this.config.validatePathAccess(
+        searchDirAbs,
+        'read',
+      );
      if (validationError) {
        return {
          llmContent: validationError,
@@ -582,7 +585,10 @@ export class RipGrepTool extends BaseDeclarativeTool<
        this.config.getTargetDir(),
        params.dir_path,
      );
-      const validationError = this.config.validatePathAccess(resolvedPath);
+      const validationError = this.config.validatePathAccess(
+        resolvedPath,
+        'read',
+      );
      if (validationError) {
        return validationError;
      }
@@ -24,6 +24,7 @@ export interface AddDirectoriesResult {
 export class WorkspaceContext {
  private directories = new Set<string>();
  private initialDirectories: Set<string>;
+  private readOnlyPaths = new Set<string>();
  private onDirectoriesChangedListeners = new Set<() => void>();

  /**
@@ -113,6 +114,24 @@ export class WorkspaceContext {
    return result;
  }

+  /**
+   * Adds a path to the read-only list.
+   * These paths are allowed for reading but not for writing (unless they are also in the workspace).
+   */
+  addReadOnlyPath(pathToAdd: string): void {
+    try {
+      // Check if it exists
+      if (!fs.existsSync(pathToAdd)) {
+        return;
+      }
+      // Resolve symlinks
+      const resolved = fs.realpathSync(path.resolve(this.targetDir, pathToAdd));
+      this.readOnlyPaths.add(resolved);
+    } catch (e) {
+      debugLogger.warn(`Failed to add read-only path ${pathToAdd}:`, e);
+    }
+  }
+
  private resolveAndValidateDir(directory: string): string {
    const absolutePath = path.resolve(this.targetDir, directory);

@@ -174,6 +193,34 @@ export class WorkspaceContext {
    }
  }

+  /**
+   * Checks if a path is allowed to be read.
+   * This includes workspace paths and explicitly added read-only paths.
+   * @param pathToCheck The path to validate
+   * @returns True if the path is readable, false otherwise
+   */
+  isPathReadable(pathToCheck: string): boolean {
+    if (this.isPathWithinWorkspace(pathToCheck)) {
+      return true;
+    }
+    try {
+      const fullyResolvedPath = this.fullyResolvedPath(pathToCheck);
+
+      for (const allowedPath of this.readOnlyPaths) {
+        // Allow exact matches or subpaths (if allowedPath is a directory)
+        if (
+          fullyResolvedPath === allowedPath ||
+          this.isPathWithinRoot(fullyResolvedPath, allowedPath)
+        ) {
+          return true;
+        }
+      }
+      return false;
+    } catch (_error) {
+      return false;
+    }
+  }
+
  /**
   * Fully resolves a path, including symbolic links.
   * If the path does not exist, it returns the fully resolved path as it would be