fix

Author: seratch

src/agents/sandbox/entries/artifacts.py

@@ -365,6 +365,7 @@ def _open_local_dir_file_for_copy(
     ) -> int:
         if not _OPEN_SUPPORTS_DIR_FD or not _HAS_O_DIRECTORY:
             return self._open_local_dir_file_for_copy_fallback(
+                base_dir=base_dir,
                 src_root=src_root,
                 rel_child=rel_child,
             )
@@ -539,7 +540,9 @@ def _local_dir_open_error(
             )
         return LocalDirReadError(src=src_root, cause=error)
 
-    def _open_local_dir_file_for_copy_fallback(self, *, src_root: Path, rel_child: Path) -> int:
+    def _open_local_dir_file_for_copy_fallback(
+        self, *, base_dir: Path, src_root: Path, rel_child: Path
+    ) -> int:
         src = src_root / rel_child
         try:
             src_stat = src.lstat()
@@ -564,20 +567,32 @@ def _open_local_dir_file_for_copy_fallback(self, *, src_root: Path, rel_child: P
         file_flags = os.O_RDONLY | getattr(os, "O_BINARY", 0) | getattr(os, "O_NOFOLLOW", 0)
         try:
             leaf_fd = os.open(src, file_flags)
-            leaf_stat = os.fstat(leaf_fd)
-            if not stat.S_ISREG(leaf_stat.st_mode) or not os.path.samestat(src_stat, leaf_stat):
+            try:
+                self._resolve_local_dir_src_root(base_dir)
+                leaf_stat = os.fstat(leaf_fd)
+                if not stat.S_ISREG(leaf_stat.st_mode) or not os.path.samestat(src_stat, leaf_stat):
+                    raise LocalDirReadError(
+                        src=src_root,
+                        context={
+                            "reason": "path_changed_during_copy",
+                            "child": rel_child.as_posix(),
+                        },
+                    )
+                return leaf_fd
+            except Exception:
                 os.close(leaf_fd)
-                raise LocalDirReadError(
-                    src=src_root,
-                    context={"reason": "path_changed_during_copy", "child": rel_child.as_posix()},
-                )
-            return leaf_fd
+                raise
         except FileNotFoundError:
+            self._resolve_local_dir_src_root(base_dir)
             raise LocalDirReadError(
                 src=src_root,
                 context={"reason": "path_changed_during_copy", "child": rel_child.as_posix()},
             ) from None
         except OSError as e:
+            try:
+                self._resolve_local_dir_src_root(base_dir)
+            except LocalDirReadError as root_error:
+                raise root_error from e
             if e.errno == errno.ELOOP:
                 raise LocalDirReadError(
                     src=src_root,

src/agents/sandbox/sandboxes/docker.py

@@ -298,7 +298,7 @@ async def _copy_workspace_tree_pruned(
                 await self._exec_checked(
                     "mkdir",
                     "-p",
-                    str(dst_child),
+                    sandbox_path_str(dst_child),
                     error_cls=WorkspaceArchiveReadError,
                     error_path=src_child,
                 )
@@ -314,8 +314,8 @@ async def _copy_workspace_tree_pruned(
                 "cp",
                 "-R",
                 "--",
-                str(src_child),
-                str(dst_child),
+                sandbox_path_str(src_child),
+                sandbox_path_str(dst_child),
                 error_cls=WorkspaceArchiveReadError,
                 error_path=src_child,
             )
@@ -337,7 +337,7 @@ async def _stage_workspace_copy(
         await self._exec_checked(
             "mkdir",
             "-p",
-            str(staging_parent),
+            sandbox_path_str(staging_parent),
             error_cls=WorkspaceArchiveReadError,
             error_path=root,
         )
@@ -347,15 +347,15 @@ async def _stage_workspace_copy(
             await self._exec_checked(
                 "mkdir",
                 "-p",
-                str(staging_workspace),
+                sandbox_path_str(staging_workspace),
                 error_cls=WorkspaceArchiveReadError,
                 error_path=root,
             )
         elif skip_rel_paths:
             await self._exec_checked(
                 "mkdir",
                 "-p",
-                str(staging_workspace),
+                sandbox_path_str(staging_workspace),
                 error_cls=WorkspaceArchiveReadError,
                 error_path=root,
             )
@@ -371,7 +371,7 @@ async def _stage_workspace_copy(
                 "-R",
                 "--",
                 root.as_posix(),
-                str(staging_workspace),
+                sandbox_path_str(staging_workspace),
                 error_cls=WorkspaceArchiveReadError,
                 error_path=root,
             )

tests/extensions/test_sandbox_vercel.py

@@ -239,7 +239,10 @@ async def run_command(
                     if not path.startswith(cwd.rstrip("/") + "/"):
                         continue
                     rel_path = path[len(cwd.rstrip("/")) + 1 :]
-                    if rel_path in exclusions:
+                    if any(
+                        rel_path == exclusion or rel_path.startswith(f"{exclusion}/")
+                        for exclusion in exclusions
+                    ):
                         continue
                     info = tarfile.TarInfo(name=rel_path if include_root else path)
                     info.size = len(content)
@@ -340,7 +343,7 @@ async def teardown_for_snapshot(
                 mount._events.append(("unmount", path.as_posix()))
                 sandbox = cast(Any, session)._sandbox
                 if sandbox is not None:
-                    sandbox.files.pop(f"{path}/mounted.txt", None)
+                    sandbox.files.pop(f"{path.as_posix()}/mounted.txt", None)
 
             async def restore_after_snapshot(
                 self,
@@ -352,7 +355,7 @@ async def restore_after_snapshot(
                 mount._events.append(("mount", path.as_posix()))
                 sandbox = cast(Any, session)._sandbox
                 if sandbox is not None:
-                    sandbox.files[f"{path}/mounted.txt"] = b"mounted-content"
+                    sandbox.files[f"{path.as_posix()}/mounted.txt"] = b"mounted-content"
 
         return _Adapter(self)
 

tests/sandbox/test_entries.py

@@ -293,7 +293,51 @@ def swap_root_then_open(
         dir_fd: int | None = None,
     ) -> int:
         nonlocal swapped
-        if (path == "src" or Path(path) == src_root) and not swapped:
+        if (path == "src" or Path(path) in {src_root, src_root / "safe.txt"}) and not swapped:
+            src_root.rename(tmp_path / "src-original")
+            (tmp_path / "src").symlink_to(secret_dir, target_is_directory=True)
+            swapped = True
+        if dir_fd is None:
+            return original_open(path, flags, mode)
+        return original_open(path, flags, mode, dir_fd=dir_fd)
+
+    monkeypatch.setattr("agents.sandbox.entries.artifacts.os.open", swap_root_then_open)
+
+    with pytest.raises(LocalDirReadError) as excinfo:
+        await local_dir.apply(session, Path("/workspace/copied"), tmp_path)
+
+    assert excinfo.value.context["reason"] == "symlink_not_supported"
+    assert excinfo.value.context["child"] == "src"
+    assert session.writes == {}
+
+
+@pytest.mark.asyncio
+async def test_local_dir_apply_fallback_rejects_source_root_swapped_to_symlink_after_validation(
+    monkeypatch: pytest.MonkeyPatch,
+    tmp_path: Path,
+) -> None:
+    src_root = tmp_path / "src"
+    src_root.mkdir()
+    (src_root / "safe.txt").write_text("safe", encoding="utf-8")
+    secret_dir = tmp_path / "secret-dir"
+    secret_dir.mkdir()
+    session = _RecordingSession()
+    local_dir = LocalDir(src=Path("src"))
+    original_open = os.open
+    swapped = False
+
+    monkeypatch.setattr("agents.sandbox.entries.artifacts._OPEN_SUPPORTS_DIR_FD", False)
+    monkeypatch.setattr("agents.sandbox.entries.artifacts._HAS_O_DIRECTORY", False)
+
+    def swap_root_then_open(
+        path: str | Path,
+        flags: int,
+        mode: int = 0o777,
+        *,
+        dir_fd: int | None = None,
+    ) -> int:
+        nonlocal swapped
+        if Path(path) == src_root / "safe.txt" and not swapped:
             src_root.rename(tmp_path / "src-original")
             (tmp_path / "src").symlink_to(secret_dir, target_is_directory=True)
             swapped = True