Skip to content

Fix artifact citation path sandbox bypass#4

Draft
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/critical-bug-investigation-86ae
Draft

Fix artifact citation path sandbox bypass#4
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/critical-bug-investigation-86ae

Conversation

@cursor

@cursor cursor Bot commented Jun 7, 2026

Copy link
Copy Markdown

Bug and impact

Artifact citations were accepted from model-provided artifact JSON and passed to open_path without a workspace containment check. A malicious or prompt-injected artifact could cite an absolute path or .. traversal, and a user clicking the citation would open files outside the Persistent Sage workspace. Project tools were also exposed whenever artifacts were enabled, bypassing the explicit workspace-tools opt-in for workspace writes.

Root cause

open_path allowed absolute paths and raw workspace joins, artifact validation did not inspect citation paths, and chat tool registration used artifacts_enabled to provide project tools/workspace roots.

Fix

  • Validate artifact citation paths as workspace-relative only.
  • Resolve open_path through the same workspace path jail used by agent tools, including symlink containment checks.
  • Gate project tools and workspace-root tool execution on the explicit workspace tools setting.
  • Added Rust regression tests for citation rejection, workspace-prefixed paths, symlink escape rejection, and workspace-root gating.

Validation

  • cargo +stable test (37 Rust tests passed)
  • npm run build
Open in Web View Automation 

Co-authored-by: g00sifer Development Lab <g00siferdev-py@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant