[Phase 1.1.1] Fix path traversal vulnerability in resolve() #14
Description
Phase
Phase 1 — Critical Security | Track 1.1 — Input Boundary Enforcement | Priority: P0 CRITICAL
Summary
The resolve() function in operator_use/utils/helper.py allows absolute paths to bypass workspace boundaries, enabling the LLM to read/write any file on the system.
Vulnerability Details
File: operator_use/utils/helper.py:14-22
CWE: CWE-22 — Path Traversal
Current code:
```python
def resolve(base, path):
path = Path(path)
if path.is_absolute():
return path.resolve() # No boundary check!
```
Attack vector: LLM can call read_file(path="/etc/passwd") or write_file(path="/root/.ssh/authorized_keys", content="...") and it works.
Affected tools: read_file, write_file, edit_file, list_dir, patch_file
Fix
```python
def resolve(base: str | Path, path: str | Path) -> Path:
base = Path(base).resolve()
resolved = (base / Path(path)).resolve()
if not str(resolved).startswith(str(base)):
raise PermissionError(
f"Path traversal blocked: {path!r} resolves outside workspace {base}"
)
return resolved
```
Acceptance Criteria
-
resolve()raisesPermissionErrorfor paths outside workspace - Absolute paths are blocked or resolved relative to workspace
-
../traversal is blocked - Symlinks pointing outside workspace are blocked
- All filesystem tools use the hardened
resolve() - Security tests in
tests/security/test_path_traversal.py - Tests cover: absolute paths,
../sequences, symlinks, unicode, null bytes
References
- OWASP Path Traversal
- CWE-22
- Design Doc:
docs/plans/2026-03-29-security-ai-guardrails-performance-design.md