fix(core): resolve windows symlink bypass and stabilize sandbox integration tests (#24834)

2026-05-04 00:44:05 -07:00 · 2026-04-08 15:00:50 -07:00
parent c7b920717f
commit af3638640c
8 changed files with 586 additions and 503 deletions
@@ -233,7 +233,10 @@ describe('MacOsSandboxManager', () => {

        expect(seatbeltArgsBuilder.buildSeatbeltProfile).toHaveBeenCalledWith(
          expect.objectContaining({
-            allowedPaths: ['/tmp/allowed1', '/tmp/allowed2'],
+            allowedPaths: expect.arrayContaining([
+              '/tmp/allowed1',
+              '/tmp/allowed2',
+            ]),
          }),
        );
      });
@@ -255,7 +258,7 @@ describe('MacOsSandboxManager', () => {

        expect(seatbeltArgsBuilder.buildSeatbeltProfile).toHaveBeenCalledWith(
          expect.objectContaining({
-            forbiddenPaths: ['/tmp/forbidden1'],
+            forbiddenPaths: expect.arrayContaining(['/tmp/forbidden1']),
          }),
        );
      });
@@ -275,7 +278,7 @@ describe('MacOsSandboxManager', () => {

        expect(seatbeltArgsBuilder.buildSeatbeltProfile).toHaveBeenCalledWith(
          expect.objectContaining({
-            forbiddenPaths: ['/tmp/does-not-exist'],
+            forbiddenPaths: expect.arrayContaining(['/tmp/does-not-exist']),
          }),
        );
      });
@@ -299,7 +302,7 @@ describe('MacOsSandboxManager', () => {
        expect(seatbeltArgsBuilder.buildSeatbeltProfile).toHaveBeenCalledWith(
          expect.objectContaining({
            allowedPaths: [],
-            forbiddenPaths: ['/tmp/conflict'],
+            forbiddenPaths: expect.arrayContaining(['/tmp/conflict']),
          }),
        );
      });
@@ -106,13 +106,9 @@ export class MacOsSandboxManager implements SandboxManager {

    const isYolo = this.options.modeConfig?.yolo ?? false;
    const workspaceWrite = !isReadonlyMode || isApproved || isYolo;
-
    const defaultNetwork =
      this.options.modeConfig?.network || req.policy?.networkAccess || isYolo;

-    const { allowed: allowedPaths, forbidden: forbiddenPaths } =
-      await resolveSandboxPaths(this.options, req);
-
    // Fetch persistent approvals for this command
    const commandName = await getFullCommandName(currentReq);
    const persistentPermissions = allowOverrides
@@ -137,6 +133,11 @@ export class MacOsSandboxManager implements SandboxManager {
        false,
    };

+    const resolvedPaths = await resolveSandboxPaths(
+      this.options,
+      req,
+      mergedAdditional,
+    );
    const { command: finalCommand, args: finalArgs } = handleReadWriteCommands(
      req,
      mergedAdditional,
@@ -147,10 +148,10 @@ export class MacOsSandboxManager implements SandboxManager {
    const sandboxArgs = buildSeatbeltProfile({
      workspace: this.options.workspace,
      allowedPaths: [
-        ...allowedPaths,
+        ...resolvedPaths.policyAllowed,
        ...(this.options.includeDirectories || []),
      ],
-      forbiddenPaths,
+      forbiddenPaths: resolvedPaths.forbidden,
      networkAccess: mergedAdditional.network,
      workspaceWrite,
      additionalPermissions: mergedAdditional,