Description
[Issue Summary]
nemoclaw rebuild and nemoclaw snapshot create fail on v0.0.22. safeTarExtract() introduced by PR #2163 audits symlinks post-extraction. The sandbox base image's legitimate symlinks /sandbox/.openclaw/ → /sandbox/.openclaw-data/ are misdetected as "symlink escape" violations, causing the extraction to be nuked and breaking all backup/restore flows.
[Environment]
Device: Brev n2d-standard-4 (no GPU) — reproducible on All Platforms
OS: Ubuntu 22.04 (Brev)
Architecture: x86_64
Node.js: v22.22.2
npm: 10.9.7
Docker: Docker Engine (Brev default)
OpenShell CLI: openshell 0.0.26
NemoClaw: v0.0.22
OpenClaw: 2026.4.2
[Steps to Reproduce]
- Install NemoClaw v0.0.22 (any platform)
- Run nemoclaw onboard and complete onboarding with any provider/model
- Verify sandbox is running: nemoclaw status shows Running
- Run nemoclaw rebuild
- Observe failure during state backup phase
[Expected Behavior]
nemoclaw rebuild should back up sandbox state, destroy the sandbox, and recreate it with the backed-up state — completing without error.
[Actual Behavior]
safeTarExtract() scans the extracted tar and finds symlinks from /sandbox/.openclaw/ → /sandbox/.openclaw-data/. These are legitimate symlinks placed by the sandbox base image, but the post-extraction audit flags them as "symlink escape" violations. The extraction directory is removed and the operation fails. Same failure occurs with nemoclaw snapshot create.
[Logs]
Error during backup phase: safeTarExtract detects symlink target outside extraction directory and aborts.
[Impact]
P1 — rebuild and snapshot create are completely broken on v0.0.22. Workaround is nemoclaw destroy + nemoclaw onboard which loses all sandbox state (chat history, skills, agent config).
[Suspected Root Cause / Notes]
PR #2163 (fix(sandbox): validate tar entries before host-side extraction) added safeTarExtract() to prevent path-traversal attacks via crafted tar archives. The post-extraction symlink audit checks whether symlink targets resolve within the extraction directory. However, the sandbox base image places symlinks /sandbox/.openclaw/ → /sandbox/.openclaw-data/ as part of its standard layout. These are intra-sandbox symlinks (both source and target are inside /sandbox/) but the audit's resolution logic flags them as escaping the extraction directory.
The fix should whitelist symlinks whose targets resolve within the sandbox root, or adjust the audit boundary to match the sandbox filesystem root rather than the extraction temp directory.
[Regression?]
Yes. Introduced in v0.0.22 by PR #2163 (merged 2026-04-21). Last known good version: v0.0.21.
Bug Details
| Field |
Value |
| Priority |
Unprioritized |
| Action |
Dev - Open - To fix |
| Disposition |
Open issue |
| Module |
Machine Learning - NemoClaw |
| Keyword |
NemoClaw, NEMOCLAW_GH_SYNC_APPROVAL, NemoClaw_Sandbox, NemoClaw_Security, NemoClaw-SWQA-RelBlckr-Recommended |
[NVB#6103567]
Description
[Issue Summary]
nemoclaw rebuild and nemoclaw snapshot create fail on v0.0.22. safeTarExtract() introduced by PR #2163 audits symlinks post-extraction. The sandbox base image's legitimate symlinks /sandbox/.openclaw/ → /sandbox/.openclaw-data/ are misdetected as "symlink escape" violations, causing the extraction to be nuked and breaking all backup/restore flows.
[Environment]
Device: Brev n2d-standard-4 (no GPU) — reproducible on All Platforms
OS: Ubuntu 22.04 (Brev)
Architecture: x86_64
Node.js: v22.22.2
npm: 10.9.7
Docker: Docker Engine (Brev default)
OpenShell CLI: openshell 0.0.26
NemoClaw: v0.0.22
OpenClaw: 2026.4.2
[Steps to Reproduce]
[Expected Behavior]
nemoclaw rebuild should back up sandbox state, destroy the sandbox, and recreate it with the backed-up state — completing without error.
[Actual Behavior]
safeTarExtract() scans the extracted tar and finds symlinks from /sandbox/.openclaw/ → /sandbox/.openclaw-data/. These are legitimate symlinks placed by the sandbox base image, but the post-extraction audit flags them as "symlink escape" violations. The extraction directory is removed and the operation fails. Same failure occurs with nemoclaw snapshot create.
[Logs]
Error during backup phase: safeTarExtract detects symlink target outside extraction directory and aborts.
[Impact]
P1 — rebuild and snapshot create are completely broken on v0.0.22. Workaround is nemoclaw destroy + nemoclaw onboard which loses all sandbox state (chat history, skills, agent config).
[Suspected Root Cause / Notes]
PR #2163 (fix(sandbox): validate tar entries before host-side extraction) added safeTarExtract() to prevent path-traversal attacks via crafted tar archives. The post-extraction symlink audit checks whether symlink targets resolve within the extraction directory. However, the sandbox base image places symlinks /sandbox/.openclaw/ → /sandbox/.openclaw-data/ as part of its standard layout. These are intra-sandbox symlinks (both source and target are inside /sandbox/) but the audit's resolution logic flags them as escaping the extraction directory.
The fix should whitelist symlinks whose targets resolve within the sandbox root, or adjust the audit boundary to match the sandbox filesystem root rather than the extraction temp directory.
[Regression?]
Yes. Introduced in v0.0.22 by PR #2163 (merged 2026-04-21). Last known good version: v0.0.21.
Bug Details
[NVB#6103567]