Harden sandbox deny path handling for non-existent files #80
+314
−7
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Previously, non-existent paths in the deny list were skipped since bwrap cannot ro-bind a file that doesn't exist. This change adds defense-in-depth by mounting /dev/null at the first non-existent path component, which prevents creation of the denied path. - Add findFirstNonExistentComponent helper to locate mount point - Mount /dev/null at first missing component to block path creation - Add tests for non-existent deny path protection Bump version to 0.0.24 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
Detect symlinks in protected paths and mount /dev/null over them to prevent attackers from deleting the symlink and creating a real directory with malicious content. If any component of a protected path is a symlink within an allowed write path, mount /dev/null there to block deletion. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
- Add enableWeakerNestedSandbox: true for non-existent deny path tests - Update assertions to check for empty content instead of non-existence (bwrap creates empty mount point files when setting up /dev/null binds)
ollie-anthropic
approved these changes
Jan 7, 2026
Collaborator
ollie-anthropic
left a comment
ollie-anthropic
left a comment
There was a problem hiding this comment.
nice thank you!
This was referenced Jan 9, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Adds defense-in-depth for sandbox deny path handling. Previously, non-existent paths in the deny list were skipped since bwrap cannot ro-bind a file that doesn't exist. This change mounts
/dev/nullat the first non-existent path component, preventing the path from being created.Changes
findFirstNonExistentComponenthelper to find the appropriate mount point/dev/nullread-only at the first missing component to block path creationTest plan
🤖 Generated with Claude Code