From bc2e474079a38f0f68039a8767cff088682fd6c0 Mon Sep 17 00:00:00 2001 From: "zhangxiaoyu.york" Date: Tue, 31 Mar 2026 23:27:39 +0800 Subject: [PATCH] Fix ExecTool to block root directory paths when restrict_to_workspace is enabled --- nanobot/agent/tools/shell.py | 4 +++- tests/tools/test_tool_validation.py | 8 ++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/nanobot/agent/tools/shell.py b/nanobot/agent/tools/shell.py index ed552b33e..b051edffc 100644 --- a/nanobot/agent/tools/shell.py +++ b/nanobot/agent/tools/shell.py @@ -186,7 +186,9 @@ class ExecTool(Tool): @staticmethod def _extract_absolute_paths(command: str) -> list[str]: - win_paths = re.findall(r"[A-Za-z]:\\[^\s\"'|><;]+", command) # Windows: C:\... + # Windows: match drive-root paths like `C:\` as well as `C:\path\to\file` + # NOTE: `*` is required so `C:\` (nothing after the slash) is still extracted. + win_paths = re.findall(r"[A-Za-z]:\\[^\s\"'|><;]*", command) posix_paths = re.findall(r"(?:^|[\s|>'\"])(/[^\s\"'>;|<]+)", command) # POSIX: /absolute only home_paths = re.findall(r"(?:^|[\s|>'\"])(~[^\s\"'>;|<]*)", command) # POSIX/Windows home shortcut: ~ return win_paths + posix_paths + home_paths diff --git a/tests/tools/test_tool_validation.py b/tests/tools/test_tool_validation.py index a95418fe5..af4675310 100644 --- a/tests/tools/test_tool_validation.py +++ b/tests/tools/test_tool_validation.py @@ -95,6 +95,14 @@ def test_exec_extract_absolute_paths_keeps_full_windows_path() -> None: assert paths == [r"C:\user\workspace\txt"] +def test_exec_extract_absolute_paths_captures_windows_drive_root_path() -> None: + """Windows drive root paths like `E:\\` must be extracted for workspace guarding.""" + # Note: raw strings cannot end with a single backslash. + cmd = "dir E:\\" + paths = ExecTool._extract_absolute_paths(cmd) + assert paths == ["E:\\"] + + def test_exec_extract_absolute_paths_ignores_relative_posix_segments() -> None: cmd = ".venv/bin/python script.py" paths = ExecTool._extract_absolute_paths(cmd)