fix(security): reject writes through symlinked parent dirs in sandbox

ToolExecutor::validate_path correctly canonicalized requests when the
target file already existed, but the non-existent-path branch only ran
normalize_relative on the requested path components and then joined
them onto the canonicalized sandbox without resolving symlinks. An
agent able to create a file inside the sandbox could plant a symlink
to anywhere on disk and then write through it:

  run_command  ln -s /etc evil
  write_file   { path: "evil/passwd", content: ... }

The leaf "evil/passwd" did not exist, so canonicalization was skipped
and tokio::fs::write followed the symlink, writing arbitrary content
outside the sandbox.

The fix walks up the candidate path to the deepest existing ancestor,
canonicalizes that ancestor (which resolves any symlink in the chain),
and rejects the request if the resolved ancestor falls outside the
sandbox. The leaf path is still returned as-is so write_file's
create_dir_all behaviour is preserved.

A regression test plants a symlink and attempts the write — it now
fails with a sandbox-escape error.

Author: kevinnft

src-tauri/src/tools/executor.rs

@@ -127,7 +127,31 @@ impl ToolExecutor {
             })?
             .to_path_buf();
         let normalized_rel = Self::normalize_relative(&rel_from_sandbox)?;
-        Ok(sandbox_canonical.join(normalized_rel))
+        let candidate = sandbox_canonical.join(&normalized_rel);
+
+        // Resolve the deepest existing ancestor through symlinks. This prevents an
+        // attacker from creating a symlink inside the sandbox (e.g. evil -> /etc) and
+        // then writing to evil/newfile, where the leaf does not exist but the parent
+        // is a symlink that escapes the sandbox.
+        let mut ancestor = candidate.as_path();
+        loop {
+            if ancestor.exists() {
+                let canonical_ancestor = ancestor.canonicalize().map_err(AppError::from)?;
+                if !canonical_ancestor.starts_with(&sandbox_canonical) {
+                    return Err(AppError::Validation(format!(
+                        "Path '{}' is outside project sandbox",
+                        requested
+                    )));
+                }
+                break;
+            }
+            match ancestor.parent() {
+                Some(parent) => ancestor = parent,
+                None => break,
+            }
+        }
+
+        Ok(candidate)
     }
 
     fn is_sensitive_file(&self, path: &Path) -> bool {
@@ -435,6 +459,47 @@ mod tests {
         cleanup("path_traversal_abs");
     }
 
+    #[tokio::test]
+    #[cfg(unix)]
+    async fn test_symlink_parent_escape_rejected() {
+        // Regression: an attacker creates a symlink inside the sandbox pointing to a
+        // privileged directory (e.g. evil -> /tmp), then attempts to write a NEW file
+        // through that symlink. The leaf does not exist, so the original validate_path
+        // skipped canonicalization and tokio::fs::write happily followed the symlink,
+        // letting the agent write outside the sandbox.
+        let sandbox_path = with_sandbox("symlink_parent_escape");
+        let outside = PathBuf::from("/tmp").join("enowx-test-symlink-target");
+        tokio::fs::create_dir_all(&outside)
+            .await
+            .expect("create outside dir");
+
+        std::os::unix::fs::symlink(&outside, sandbox_path.join("evil"))
+            .expect("create symlink");
+
+        let executor = ToolExecutor::new(sandbox_path);
+
+        let call = ToolCall {
+            tool: ToolName::WriteFile,
+            input: serde_json::json!({
+                "path": "evil/pwned.txt",
+                "content": "should not land outside sandbox",
+            }),
+        };
+        let result = executor.execute(call).await;
+        assert!(
+            result.is_error,
+            "write through symlinked parent must be rejected, got: {}",
+            result.output
+        );
+        assert!(
+            !outside.join("pwned.txt").exists(),
+            "file must not have been written outside sandbox"
+        );
+
+        let _ = tokio::fs::remove_dir_all(&outside).await;
+        cleanup("symlink_parent_escape");
+    }
+
     #[tokio::test]
     async fn test_is_outside_sandbox() {
         let sandbox_path = with_sandbox("outside_sandbox");