fix(security): prevent shell command injection in sandbox file ops (#313)

[ArthurCRodrigues]

Context

Issue #313 identified shell command injection risks in sandbox file operations where user-controlled filenames/paths were interpolated into shell commands.

Solution

• hardened sandbox_manager/sandbox_container.py path handling:
  • added relative path normalization/validation for submission files
  • added /tmp path normalization/validation for injected assets
  • shell-escaped file paths used in prepare_workdir, inject_assets, and extract_file via shlex.quote
  • switched directory/permission commands to list-form exec calls where applicable
• added/updated regression tests:
  • tests/unit/test_extract_file.py
  • tests/unit/test_asset_injection.py
  • tests/unit/test_sandbox_manager.py
• updated docs to reflect the hardened shell-escaped base64 write flow:
  • docs/features/setup_config_feature.md
  • docs/pipeline/04-pre-flight.md
  • docs/architecture/sandbox_manager.md

Further clarifications

• This keeps existing behavior (nested paths, asset injection, artifact extraction) while blocking command injection through crafted filenames/paths.
• run_commands remains unchanged in this patch because issue [Security] Shell Command Injection via Unvalidated Filenames #313 scope was specifically filename/path injection in write/extract flows.

Related issues

Closes #313

Checklist

• I linked the related issue(s) and explained the motivation.
• I kept this PR focused and scoped to a single concern.
• I added or updated tests for changed behavior (or explained why not needed).
• I ran the relevant tests locally.
• I updated documentation when needed (README/docs/API examples).
• This PR introduces API contract changes (request/response/endpoint/DTO).
• If API changed, I documented compatibility or migration notes.
• This PR includes breaking changes.
• If breaking, I clearly described impact and migration steps.

[Copilot]

Pull request overview

Hardens sandbox file operations against shell command injection by validating/normalizing paths and shell-escaping paths used in /bin/sh -c flows, with accompanying unit test and documentation updates.

Changes:

• Added path normalization/validation helpers for submission file paths and /tmp asset targets, and applied shlex.quote() to paths used in shell redirection.
• Switched some container operations (mkdir, chmod) to list-form exec_run calls to avoid shell parsing where possible.
• Updated unit tests and documentation to reflect the hardened injection/extraction behavior.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
sandbox_manager/sandbox_container.py	Adds path validation/normalization and shell escaping for prepare_workdir, inject_assets, and extract_file.
tests/unit/test_extract_file.py	Adds regression tests for rejecting non-absolute paths and ensuring shell-escaped extraction commands.
tests/unit/test_asset_injection.py	Updates assertions to match list-form exec_run and the new shell-escaped Base64 write flow.
tests/unit/test_sandbox_manager.py	Minor test comment cleanup and whitespace change.
docs/pipeline/04-pre-flight.md	Updates pre-flight docs to describe the shell-escaped Base64 asset injection flow.
docs/features/setup_config_feature.md	Updates setup-config docs to describe the shell-escaped Base64 injection method.
docs/architecture/sandbox_manager.md	Updates architecture docs to describe the shell-escaped Base64 injection approach.

[ArthurCRodrigues]

ok