fix(core): ensure global temp directory is always in sandbox allowed paths (#24638)

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
2026-05-12 21:03:05 -07:00 · 2026-04-03 17:23:27 -07:00
parent 4fb3790051
commit 65024d4538
9 changed files with 91 additions and 12 deletions
@@ -508,6 +508,7 @@ export enum AuthProviderType {
 export interface SandboxConfig {
  enabled: boolean;
  allowedPaths?: string[];
+  includeDirectories?: string[];
  networkAccess?: boolean;
  command?:
    | 'docker'
@@ -524,6 +525,7 @@ export const ConfigSchema = z.object({
    .object({
      enabled: z.boolean().default(false),
      allowedPaths: z.array(z.string()).default([]),
+      includeDirectories: z.array(z.string()).default([]),
      networkAccess: z.boolean().default(false),
      command: z
        .enum([
@@ -965,6 +967,11 @@ export class Config implements McpContext, AgentLoopContext {
      ? {
          enabled: params.sandbox.enabled || params.toolSandboxing || false,
          allowedPaths: params.sandbox.allowedPaths ?? [],
+          includeDirectories: [
+            ...(params.sandbox.includeDirectories ?? []),
+            ...(params.sandbox.allowedPaths ?? []),
+            Storage.getGlobalTempDir(),
+          ],
          networkAccess: params.sandbox.networkAccess ?? false,
          command: params.sandbox.command,
          image: params.sandbox.image,
@@ -972,6 +979,7 @@ export class Config implements McpContext, AgentLoopContext {
      : {
          enabled: params.toolSandboxing || false,
          allowedPaths: [],
+          includeDirectories: [Storage.getGlobalTempDir()],
          networkAccess: false,
        };

@@ -994,7 +1002,10 @@ export class Config implements McpContext, AgentLoopContext {
      {
        workspace: this.targetDir,
        forbiddenPaths: this.getSandboxForbiddenPaths.bind(this),
-        includeDirectories: this.pendingIncludeDirectories,
+        includeDirectories: [
+          ...this.pendingIncludeDirectories,
+          Storage.getGlobalTempDir(),
+        ],
        policyManager: this._sandboxPolicyManager,
      },
      initialApprovalMode,
@@ -1002,7 +1013,7 @@ export class Config implements McpContext, AgentLoopContext {

    if (
      !(this._sandboxManager instanceof NoopSandboxManager) &&
-      this.sandbox.enabled
+      this.sandbox?.enabled
    ) {
      this.fileSystemService = new SandboxedFileSystemService(
        this._sandboxManager,
@@ -1702,7 +1713,10 @@ export class Config implements McpContext, AgentLoopContext {
      {
        workspace: this.targetDir,
        forbiddenPaths: this.getSandboxForbiddenPaths.bind(this),
-        includeDirectories: this.pendingIncludeDirectories,
+        includeDirectories: [
+          ...this.pendingIncludeDirectories,
+          Storage.getGlobalTempDir(),
+        ],
        policyManager: this._sandboxPolicyManager,
      },
      this.getApprovalMode(),
@@ -1981,7 +1995,12 @@ export class Config implements McpContext, AgentLoopContext {
  }

  getSandboxAllowedPaths(): string[] {
-    return this.sandbox?.allowedPaths ?? [];
+    const paths = [...(this.sandbox?.allowedPaths ?? [])];
+    const globalTempDir = Storage.getGlobalTempDir();
+    if (!paths.includes(globalTempDir)) {
+      paths.push(globalTempDir);
+    }
+    return paths;
  }

  getSandboxNetworkAccess(): boolean {