github/deer-flow
1
0
Fork 0
mirror of https://github.com/bytedance/deer-flow.git synced 2026-04-25 11:18:22 +00:00
Code Issues Packages Projects Releases Wiki Activity
deer-flow/backend/packages/harness/deerflow/sandbox
History
SHIYAO ZHANG cdb2a3a017
fix(sandbox): anchor relative paths to thread workspace in local mode (#1522) 
* fix(task_tool): fallback to configurable thread_id when context is missing

task_tool only read thread_id from runtime.context, but when invoked
via LangGraph Server, thread_id lives in config.configurable instead.
Add the same fallback that ThreadDataMiddleware uses (PR #1237).

Fixes subagent execution failure: 'Thread ID is required in runtime
context or config.configurable'

* remove debug logging from task_tool

* fix(sandbox): anchor relative paths to thread workspace in local mode

In local sandbox mode, bash commands using relative paths were resolved
against the langgraph server process cwd (backend/) instead of the
per-thread workspace directory. This allowed relative-path writes to
escape the thread isolation boundary.

Root cause: validate_local_bash_command_paths and
replace_virtual_paths_in_command only process absolute paths (scanning
for '/' prefix). Relative paths pass through untouched and inherit the
process cwd at subprocess.run time.

Fix: after virtual path translation, prepend `cd {workspace} &&` to
anchor the shell's cwd to the thread-isolated workspace directory before
execution. shlex.quote() ensures paths with spaces or special characters
are handled safely.

This mirrors the approach used by OpenHands (fixed cwd at execution
layer) and is the correct fix for local mode where each subprocess.run
is an independent process with no persistent shell session.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* refactor(sandbox): extract _apply_cwd_prefix and add unit tests

Extract the workspace cd-prefix logic from bash_tool into a dedicated
_apply_cwd_prefix() helper so it can be unit-tested in isolation.
Add four tests covering: normal prefix, no thread_data, missing
workspace_path, and paths with spaces (shlex.quote).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* revert: remove unrelated configurable thread_id fallback from sandbox/tools.py

This change belongs in a separate PR.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* style: remove trailing whitespace in test_sandbox_tools_security

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Willem Jiang <willem.jiang@gmail.com>
2026-03-29 23:21:06 +08:00
..
local
fix: add Windows shell fallback for local sandbox (#1505)
2026-03-29 21:31:29 +08:00
__init__.py
refactor: split backend into harness (deerflow.*) and app (app.*) (#1131)
2026-03-14 22:55:52 +08:00
exceptions.py
refactor: split backend into harness (deerflow.*) and app (app.*) (#1131)
2026-03-14 22:55:52 +08:00
middleware.py
fix: add null checks for runtime.context and tighten langgraph constraint (#1326)
2026-03-25 21:01:10 +08:00
sandbox_provider.py
refactor: split backend into harness (deerflow.*) and app (app.*) (#1131)
2026-03-14 22:55:52 +08:00
sandbox.py
refactor: split backend into harness (deerflow.*) and app (app.*) (#1131)
2026-03-14 22:55:52 +08:00
security.py
[Security] Address critical host-shell escape in LocalSandboxProvider (#1547)
2026-03-29 21:03:58 +08:00
tools.py
fix(sandbox): anchor relative paths to thread workspace in local mode (#1522)
2026-03-29 23:21:06 +08:00