fix(sandbox): handle existing directories in mkdirp boundary checks

[stakeswky]

Summary

• fix sandbox mkdirp boundary validation to handle pre-existing directory targets
• keep strict boundary failures for non-path errors unless target is an existing directory
• preserve canonical mount and writability checks after boundary validation

Root cause

mkdirp uses openBoundaryFile for boundary checks. openBoundaryFile is optimized for open-verified paths and can return non-path validation failures for directory targets in some mounted workspace flows. The bridge treated these as hard failures, so mkdir -p failed even when the target directory already existed and was in-bounds.

Fix

When allowedType === "directory" and boundary open returns a non-path failure, fallback to a host-side statSync check for an existing directory. If it is a directory, continue; otherwise preserve the original failure behavior.

Testing

• pnpm vitest run src/agents/sandbox/fs-bridge.test.ts -t "allows mkdirp for existing in-boundary subdirectories|rejects mkdirp when target exists as a file|rejects pre-existing host symlink escapes before docker exec"

Closes #31438

[greptile-apps]

Greptile Summary

Fixed mkdirp boundary validation to handle pre-existing directories by adding a fallback when openBoundaryFile returns non-path failures.

How it works:

• When allowedType === "directory" and boundary open fails with a non-path error (validation/io), the code now falls back to checking if the target is an existing directory on the host
• If it is a directory, the operation continues; otherwise the original error is thrown
• Canonical mount and writability checks still execute after the fallback, maintaining security

Key changes:

• Added directory-specific fallback in assertPathSafety (lines 270-294) that uses fs.statSync to verify existing directories
• Preserves strict boundary checking for files while avoiding false negatives for directory operations

The fix correctly addresses the issue where mkdirp failed on existing in-boundary directories due to openVerifiedFileSync being optimized for file operations. Tests verify the fix works for existing subdirectories while still rejecting files.

Confidence Score: 4/5

• This PR is safe to merge with minimal risk - it fixes a real bug while maintaining security boundaries
• The fix correctly addresses the mkdirp issue for existing directories while preserving security checks (lexical and canonical boundary validation still execute). Tests verify the behavior. One minor style issue with error handling logic could be clearer but doesn't affect correctness.
• No files require special attention - the changes are focused and well-tested

_{Last reviewed commit: 0e455d9}

[greptile-apps]

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

confusing error handling - the thrown error on line 277 is immediately caught and replaced

The current implementation throws an error when !st.isDirectory() but that error is immediately caught by the catch block and replaced with guarded.error. Consider simplifying:

Suggested change

	try {
	const st = fs.statSync(target.hostPath);
	if (!st.isDirectory()) {
	throw new Error(
	`Sandbox boundary checks failed; cannot ${options.action}: ${target.containerPath}`,
	);
	}
	} catch {
	throw guarded.error instanceof Error
	? guarded.error
	: new Error(
	`Sandbox boundary checks failed; cannot ${options.action}: ${target.containerPath}`,
	);
	}
	let isDirectory = false;
	try {
	const st = fs.statSync(target.hostPath);
	isDirectory = st.isDirectory();
	} catch {
	// statSync failed, treat as not a directory
	}
	if (!isDirectory) {
	throw guarded.error instanceof Error
	? guarded.error
	: new Error(
	`Sandbox boundary checks failed; cannot ${options.action}: ${target.containerPath}`,
	);
	}

This makes the intent clearer: check if the path is an existing directory, and if not, throw the original boundary check error.

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/agents/sandbox/fs-bridge.ts
Line: 274-287

Comment:
confusing error handling - the thrown error on line 277 is immediately caught and replaced

The current implementation throws an error when `!st.isDirectory()` but that error is immediately caught by the catch block and replaced with `guarded.error`. Consider simplifying:

```suggestion
          let isDirectory = false;
          try {
            const st = fs.statSync(target.hostPath);
            isDirectory = st.isDirectory();
          } catch {
            // statSync failed, treat as not a directory
          }
          if (!isDirectory) {
            throw guarded.error instanceof Error
              ? guarded.error
              : new Error(
                  `Sandbox boundary checks failed; cannot ${options.action}: ${target.containerPath}`,
                );
          }
```

This makes the intent clearer: check if the path is an existing directory, and if not, throw the original boundary check error.

How can I resolve this? If you propose a fix, please make it concise.

[aisle-research-bot]

🔒 Aisle Security Analysis

We found 1 potential security issue(s) in this PR:

#	Severity	Title
1	🔵 Low	Sandbox boundary validation bypass via directory stat() fallback in assertPathSafety

---

1. 🔵 Sandbox boundary validation bypass via directory stat() fallback in assertPathSafety

Property	Value
Severity	Low
CWE	CWE-862
Location	src/agents/sandbox/fs-bridge.ts:268-281

Description

SandboxFsBridgeImpl.assertPathSafety uses openBoundaryFile(...) as a boundary/alias guard before executing filesystem-affecting commands inside the sandbox container.

A new fallback treats certain openBoundaryFile failures as non-fatal when allowedType === "directory" by checking only fs.statSync(hostPath).isDirectory().

Problem:

• The fallback triggers for any openBoundaryFile failure whose reason !== "path" (i.e., it includes "validation" failures, not just IO failures).
• "validation" failures can represent security-relevant boundary rejections (e.g., path not within the mount root, or alias/symlink canonicalization escaping the boundary).
• fs.statSync() does not enforce the boundary root constraint and follows symlinks.

As a result, an attacker can potentially bypass boundary validation for directory operations (currently mkdirp) whenever hostPath happens to be an existing directory, even if openBoundaryFile rejected it.

Vulnerable code (introduced in this diff):

if (!guarded.ok) {
  if (guarded.reason !== "path") {
    const canFallbackToDirectoryStat =
      options.allowedType === "directory" && this.pathIsExistingDirectory(target.hostPath);
    if (!canFallbackToDirectoryStat) {
      throw guarded.error instanceof Error
        ? guarded.error
        : new Error(
            `Sandbox boundary checks failed; cannot ${options.action}: ${target.containerPath}`,
          );
    }
  }
}

Security impact:

• inputs: filePath provided to mkdirp()
• guard bypass: openBoundaryFile failure with reason: "validation" becomes non-fatal if statSync() says directory
• sink: runCommand('... mkdir -p -- "$1"') executes after the weakened check

This broad fallback should be limited to the specific platform-IO case it was meant to address; otherwise it undermines boundary enforcement for directories.

Recommendation

Limit the fallback to the intended IO-only directory-open incompatibility case, and (optionally) to mkdirp explicitly.

Suggested change:

if (!guarded.ok) {
  if (guarded.reason === "io" && options.action === "create directories" && options.allowedType === "directory") {
    if (!this.pathIsExistingDirectory(target.hostPath)) {
      throw guarded.error instanceof Error ? guarded.error : new Error(...);
    }
  } else if (guarded.reason !== "path") {
    throw guarded.error instanceof Error ? guarded.error : new Error(...);
  }
}

This preserves support for platforms that cannot openSync() directories while ensuring that boundary validation failures are never bypassed.

---

Analyzed PR: #31547 at commit 061121f

_{Last updated on: 2026-03-02T17:10:30Z}

[steipete]

Landed via temp rebase onto main.

• Gate: pnpm test src/agents/sandbox/fs-bridge.test.ts (full gate blocked by pre-existing main failure in extensions/zalouser/src/monitor.ts:141)
• Land commit: 061121f
• Merge commit: 44270c5

Thanks @stakeswky!

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 061121f2b1

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Restrict mkdirp fallback to I/O-only boundary failures

The new fallback now runs for every non-path failure, but openBoundaryFile also reports symlink/hardlink boundary violations as reason: "validation"; with options.allowedType === "directory", pathIsExistingDirectory uses statSync (follows symlinks) and can turn those validation failures into success. This means mkdirp can bypass host-side alias boundary rejection and proceed to Docker execution for paths that were explicitly rejected by boundary validation, which weakens the sandbox safety model for pre-existing directory aliases. The fallback should be limited to the platform I/O case (reason === "io") that this fix is targeting.

Useful? React with 👍 / 👎.