Skip to content

fix: constrain custom workspace paths#9136

Closed
LIghtJUNction wants to merge 1 commit into
masterfrom
codex/fix-custom-workspace-vulnerability-in-astrbot
Closed

fix: constrain custom workspace paths#9136
LIghtJUNction wants to merge 1 commit into
masterfrom
codex/fix-custom-workspace-vulnerability-in-astrbot

Conversation

@LIghtJUNction

@LIghtJUNction LIghtJUNction commented Jul 4, 2026

Copy link
Copy Markdown
Member

Motivation

  • Close a security gap where ChatUI custom workspace paths could be absolute and point outside AstrBot's workspaces, allowing chat-scoped users to expand non-admin file-tool allowlists.
  • Ensure both relative and absolute custom workspace values are constrained to subdirectories of the configured AstrBot workspaces root.

Description

  • Change workspace_path_to_root() in astrbot/core/workspace.py to always resolve the candidate path (absolute or relative) and then require the resolved path to be a subdirectory of the AstrBot workspaces root.
  • Update the validation error message to reflect that any path (absolute or relative) must stay within a workspaces subdirectory.
  • Adjust tests/unit/test_chatui_project_service.py to accept absolute paths that are workspace subdirectories and to reject absolute paths that resolve outside the workspaces root.

Testing

  • Ran formatting with uv run --no-sync ruff format . which completed successfully.
  • Ran linting with uv run --no-sync ruff check . which completed successfully.
  • Attempted to run unit tests with uv run --no-sync pytest tests/unit/test_chatui_project_service.py but test execution was blocked by a missing test dependency (pytest_asyncio) and an external PyPI fetch/connectivity failure, so full pytest validation could not be completed.

Codex Task

Summary by Sourcery

Constrain custom ChatUI workspaces so that both relative and absolute paths must resolve within the AstrBot workspaces root.

Bug Fixes:

  • Prevent custom workspace configurations from using absolute paths that resolve outside the AstrBot workspaces root, closing a security gap around file-tool allowlists.

Enhancements:

  • Unify workspace path resolution logic so all custom paths are resolved and validated against the AstrBot workspaces root.
  • Clarify workspace validation error messaging to reflect the constraint on all custom paths, not just relative ones.

Tests:

  • Update ChatUI project service tests to cover acceptance of absolute workspace subdirectories and rejection of absolute paths outside the workspaces root.

Copilot AI review requested due to automatic review settings July 4, 2026 09:03
@dosubot dosubot Bot added the size:S This PR changes 10-29 lines, ignoring generated files. label Jul 4, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@dosubot dosubot Bot added area:core The bug / feature is about astrbot's core, backend feature:chatui The bug / feature is about astrbot's chatui, webchat labels Jul 4, 2026

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've reviewed your changes and they look great!


Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request restricts custom workspace paths to stay within a subdirectory of the AstrBot workspaces root, rejecting absolute paths that point outside of it. The tests have been updated to reflect this security constraint. The reviewer suggests simplifying the path resolution logic in workspace_path_to_root by leveraging pathlib.Path's behavior where the / operator automatically ignores the left-hand side if the right-hand side is absolute, which removes the need for the ternary operator.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread astrbot/core/workspace.py
Comment on lines +108 to +112
resolved = (
candidate.resolve(strict=False)
if candidate.is_absolute()
else (workspaces_root / candidate).resolve(strict=False)
)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The ternary operator checking candidate.is_absolute() is redundant. In Python's pathlib, the / operator automatically ignores the left-hand side (workspaces_root) if the right-hand side (candidate) is an absolute path. Simplifying this to a single expression makes the code cleaner and more idiomatic.

    resolved = (workspaces_root / candidate).resolve(strict=False)

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 4, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs
astrbot-docs fef3fb4 Commit Preview URL

Branch Preview URL
Jul 04 2026, 09:09 AM

@Soulter

Soulter commented Jul 4, 2026

Copy link
Copy Markdown
Member

this is by design. Users can select custom paths in chatui project to attach project sessions workspace.

@LIghtJUNction LIghtJUNction deleted the codex/fix-custom-workspace-vulnerability-in-astrbot branch July 4, 2026 11:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

aardvark area:core The bug / feature is about astrbot's core, backend codex feature:chatui The bug / feature is about astrbot's chatui, webchat size:S This PR changes 10-29 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants