Network-AI: AgentRuntime sandbox path-prefix checks allow file access outside the configured base directory
📋 Description
Summary
AgentRuntime promises scoped file access under a configured sandbox basePath, but its path containment checks use raw string prefix tests. A sandbox base such as /tmp/network-ai-sandbox also matches a sibling path such as /tmp/network-ai-sandbox_evil/secret.txt.
An agent/user that can call AgentRuntime.readFile() or AgentRuntime.listDir() can read or list files outside the intended sandbox when the target path is in a sibling directory sharing the base path prefix. This breaks the documented sandbox boundary. Confirmed in Network-AI 5.12.1. Severity: Medium, CVSS 3.1 vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N.
Details
The vulnerable containment check is in lib/agent-runtime.ts:
resolvePath(filePath: string): string | null {
const normalized = normalize(filePath);
const absolute = isAbsolute(normalized)
? normalized
: join(this.config.basePath, normalized);
const resolved = resolve(absolute);
// Traversal check
if (!resolved.startsWith(this.config.basePath)) return null;
return resolved;
}
startsWith() is not path-boundary-aware. If this.config.basePath is /tmp/network-ai-sandbox, then /tmp/network-ai-sandbox_evil/secret.txt also starts with /tmp/network-ai-sandbox despite being outside the sandbox.
The same pattern appears in SandboxPolicy.isPathAllowed() for allowed and blocked paths. FileAccessor.read(), FileAccessor.write(), and FileAccessor.list() rely on these checks before I/O, and AgentRuntime.readFile() exposes this behavior. Reads auto-approve by default when autoApproveReads is enabled.
Affected source evidence:
lib/agent-runtime.ts:393-423—isPathAllowed()/resolvePath()use stringstartsWith()containment.lib/agent-runtime.ts:669-691— file read sink relies on those checks.lib/agent-runtime.ts:933-958—AgentRuntime.readFile()exposes file reads.
PoC
Run from the repository root after installing dependencies:
node -r ts-node/register/transpile-only - <<'TS'
const { mkdtempSync, mkdirSync, writeFileSync, rmSync } = require('fs');
const { tmpdir } = require('os');
const { join } = require('path');
const { AgentRuntime } = require('./lib/agent-runtime');
(async () => {
const parent = mkdtempSync(join(tmpdir(), 'network-ai-poc-'));
const base = join(parent, 'sandbox');
const sibling = join(parent, 'sandbox_evil');
mkdirSync(base);
mkdirSync(sibling);
writeFileSync(join(sibling, 'secret.txt'), 'SECRET_OUTSIDE_SANDBOX', 'utf8');
const runtime = new AgentRuntime({
policy: { basePath: base, allowedPaths: ['.'], allowedCommands: [] },
});
const absoluteRead = await runtime.readFile(join(sibling, 'secret.txt'), 'poc-agent');
const relativeRead = await runtime.readFile('../sandbox_evil/secret.txt', 'poc-agent');
console.log(JSON.stringify({
base,
outside: join(sibling, 'secret.txt'),
absoluteRead: { success: absoluteRead.success, content: absoluteRead.content },
relativeRead: { success: relativeRead.success, content: relativeRead.content },
}, null, 2));
rmSync(parent, { recursive: true, force: true });
})();
TS
Observed result: both reads succeed and return SECRET_OUTSIDE_SANDBOX, even though the file is outside basePath.
Impact
An agent/user with access to AgentRuntime file operations can bypass the intended sandbox root and read or list files outside the sandbox when those files are located in sibling paths sharing the sandbox base path prefix. This is a sandbox boundary bypass and path traversal vulnerability. Default confirmed impact is read/list disclosure. If an embedding application uses FileAccessor.write() directly or auto-approves runtime writes, the same root cause may allow writes outside the intended sandbox to prefix-collision sibling paths. No RCE chain was confirmed.
Resolution (maintainer)
Fixed in v5.12.2 (commit a59c13a). Install: npm install [email protected] — published to npm with provenance.
SandboxPolicy.resolvePath() and isPathAllowed() now use separator-anchored prefix checks (resolved === base || resolved.startsWith(base + path.sep)) for both the allow-list and block-list. A sibling directory that merely shares a name prefix (e.g. /srv/app-evil vs base /srv/app) is no longer treated as in-scope.
All 3,269 tests pass against the patched build. Thanks to @sondt99 for the responsible disclosure.
🎯 Affected products1
- npm/network-ai:<= 5.12.1