Skip to content

Use absolute path for permission management for fs_read #2926

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Use absolute path for permission management for fs_read #2926

wants to merge 1 commit into from
+121 −4

Conversation

erbenmo
Copy link
Contributor

@erbenmo erbenmo commented Sep 18, 2025

Problem: users are getting prompted to approve fs_read even though they are reading files under CWD (through relative path). and CWD is already added into allowed path.

The root cause is a latent software bug: If an allowed path is in aboslute format, and user is reading the same file in relative format, the file path would not actually match.

To fix the issue, I am now converting the relative path of the accessed file to absolute path, and only use absolute path for permission management.

I considered an alternative approach which is to add './' to allowed path. This would match all files in CWD through relative path. But The problem with that approach is it would also match file acces like './../../../super-secret' etc which is outside CWD.

Another way this latent bug could manifest is if user add an absolute path to deny list, it doesn't actually stop the CLI to access that file through relative path... That issue is also fixed now by converting the accessed file to absolute path.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Tested the change:

🛠️  Using tool: fs_read (trusted)
 ⋮ 
 ● Reading file: ./crates/chat-cli/src/util/directories.rs, from line 519 to 540
 ✓ Successfully read 939 bytes from ./crates/chat-cli/src/util/directories.rs

 ⋮ 
 ● Completed in 0.1s

@erbenmo
Use absolute path for permission management for fs_read
fd8441c 
Problem: users are getting prompted to approve fs_read even though
they are reading files under CWD (through relative path). and CWD
is already added into allowed path.

The root cause is a latent software bug: If an allowed path is in
aboslute format, and user is reading the same file in relative format,
the file path would not actually match.

To fix the issue, I am now converting the relative path of the accessed
file to absolute path, and only use absolute path for permission
management.

I considered an alternative approach which is to add './' to allowed
path. This would match all files in CWD through relative path.
But The problem with that approach is it would also match file acces
like './../../../super-secret' etc which is outside CWD.

Another way this latent bug could manifest is if user add an absolute
path to deny list, it doesn't actually stop the CLI to access that file
through relative path... That issue is also fixed now by converting the
accessed file to absolute path.
@erbenmo
Copy link
Contributor Author

erbenmo commented Sep 18, 2025

I noticed an earlier PR is trying to address the same issue. That PR is a more comprehensive fix than this one. #2820. I think we should just take that one instead.

@erbenmo
Copy link
Contributor Author

erbenmo commented Sep 18, 2025
edited
Loading

Or we can merge my PR first to fix the CWD issue and I can work with the author of #2820 to get his/her more comprehensive change added. That PR is more comprehensive because:

  • it also handle the relative glob pattern
  • it also apply the fix to fs_write

@kkashilk kkashilk mentioned this pull request Sep 18, 2025
Merged
mr-lee
mr-lee reviewed Sep 19, 2025
View reviewed changes
crates/chat-cli/src/cli/chat/tools/fs_read.rs
let original_cwd = std::env::current_dir().unwrap();
std::env::set_current_dir(temp_path).unwrap();

// all of these files are under CWD through relative path. reading them should be allowed by default
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you want to test the ~ just in case?

Copy link
Contributor Author

@erbenmo erbenmo Sep 19, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mr-lee I noticed that #2820 is a better fix and the fix for this issue has now been merged into #2933 (which fixed a bug in #2820 found by kkashilk@) . So I am going to discard this one. Sorry about the confusion.

@erbenmo erbenmo closed this Sep 19, 2025
@erbenmo
Copy link
Contributor Author

erbenmo commented Sep 19, 2025

discarding this PR in favor of #2933

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mr-lee mr-lee mr-lee approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@erbenmo @mr-lee