fix(sandbox): deny host-path Playwright protocol params (#109)#113
Open
kimjune01 wants to merge 2 commits into
Open
fix(sandbox): deny host-path Playwright protocol params (#109)#113kimjune01 wants to merge 2 commits into
kimjune01 wants to merge 2 commits into
Conversation
Add HostBridge-level deny-list for protocol messages that carry host
filesystem paths (screenshot path, pdf path, storageState path, add{Script,Style}Tag path,
setInputFilePaths localPaths, saveAs path, fulfill path, tracingStart tracesDir,
tracingStop path, tracingStopChunk filePath, harOpen file). These are
blocked before reaching the host-side Playwright dispatcher, with a
policy error returned to the sandbox.
Bug reported in SawyerHood#109. Found by Codex (GPT-5.5) via /bug-hunt.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…stBridge integration tests Verified against playwright-core 1.58.2 protocol/validator.js. Of the 12 (method, param) pairs in the initial deny-list, only 3 are actually reachable via the wire (the rest are client-side path params already blocked by the QuickJS platform's fs/path throws): - setInputFiles localPaths / localDirectory (server-side read) - saveAs path (server-side write) - harOpen file (server-side read) Add HostBridge integration tests that prove the policy intercepts these messages before they reach the Playwright dispatcher. Without the policy the same messages reach the dispatcher and come back as TargetClosedError (see PR description for failing-before output). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #109.
Deny three Playwright wire-level params at
HostBridge.receiveFromSandbox— the only host-fs holes that aren't already blocked by the QuickJS client platform'sfs/paththrows or bydenyLaunch: true. Verified against playwright-core 1.58.2.setInputFileslocalPaths,localDirectorysaveAspathharOpenfileThe screenshot/pdf/storageState/addScriptTag/addStyleTag/fulfill/tracing scenarios in #109 are already non-exploitable — those path params don't exist in the wire schema; the client writes/reads via its platform fs adapter, which throws in QuickJS. This PR blocks the remaining path: a script that reaches the underlying connection (e.g.
page._connection) and crafts the raw message itself.Attestation
Identical test file on both commits; only
host-bridge.tsdiffers.c58b79a(attest/before-fix)6c004d3(this PR)Full suite on the fix commit (after
pnpm bundle:sandbox-client): 15/15 files, 98/98 tests pass — including the live-browser integration tests, confirming legitimate Playwright flows are unaffected.Before-fail output (the proof — message reaches the dispatcher):
Notes
daemon/dist/*bundles not regenerated; left for release tooling.ChannelOwner._channelis a separate, larger attack-surface question and out of scope here.Found by Codex (GPT-5.5) via
/bug-hunt.