Skip to content

fix: validate TEST_TMPDIR path traversal in getWritableDirs#29646

Closed
Ashutosh0x wants to merge 1 commit into
bazelbuild:masterfrom
Ashutosh0x:fix/validate-test-tmpdir-v2
Closed

fix: validate TEST_TMPDIR path traversal in getWritableDirs#29646
Ashutosh0x wants to merge 1 commit into
bazelbuild:masterfrom
Ashutosh0x:fix/validate-test-tmpdir-v2

Conversation

@Ashutosh0x
Copy link
Copy Markdown
Contributor

@Ashutosh0x Ashutosh0x commented May 26, 2026

Fixes #29457

Summary

AbstractSandboxSpawnRunner.getWritableDirs() reads TEST_TMPDIR from the action environment and passes it directly to addWritablePath() without validation. A malicious rule can set TEST_TMPDIR to a relative path containing ../ traversal sequences, causing the resolved path to escape the sandbox exec root.

Root Cause

Same class of issue as #3296 (TMPDIR sanitization). The fix was partial -- TMPDIR was sanitized but TEST_TMPDIR was missed.

Variable Sanitized? Risk
TMPDIR Yes None (fixed in #3296)
TEST_TMPDIR No Traversal sequences can escape sandbox

Fix

Added validateTestTmpdir() using PathFragment.containsUplevelReferences() to reject ../ traversal before addWritablePath(). Absolute paths are allowed (legitimate via --test_tmpdir).

Related

@github-actions github-actions Bot added team-Local-Exec Issues and PRs for the Execution (Local) team awaiting-review PR is awaiting review from an assigned reviewer labels May 26, 2026
@Ashutosh0x Ashutosh0x closed this May 26, 2026
@Ashutosh0x Ashutosh0x reopened this May 26, 2026
@github-actions github-actions Bot added awaiting-review PR is awaiting review from an assigned reviewer and removed awaiting-review PR is awaiting review from an assigned reviewer labels May 26, 2026
@Ashutosh0x
fix: validate TEST_TMPDIR path traversal in getWritableDirs
7beb07b 
Add validateTestTmpdir() using PathFragment.containsUplevelReferences()
to reject '../' traversal in TEST_TMPDIR before addWritablePath().
Absolute paths are allowed (legitimate via --test_tmpdir).

Fixes bazelbuild#29457
@Ashutosh0x Ashutosh0x force-pushed the fix/validate-test-tmpdir-v2 branch from 6bf8e04 to 7beb07b Compare May 26, 2026 08:25
@Ashutosh0x
Copy link
Copy Markdown
Contributor Author

Ashutosh0x commented May 26, 2026

CI failures are from passport-control-check-docs (Mintlify docs checker) failing, which cascades to all other jobs. This is unrelated to the Java code change -- appears to be a Mintlify infrastructure issue affecting builds since ~build #33388. Will retrigger once the service recovers.

For reference, the identical fix pattern in PR #29631 (modifying SandboxStash.java) passes all 37/37 checks.

@Ashutosh0x Ashutosh0x closed this May 26, 2026
@github-actions github-actions Bot removed the awaiting-review PR is awaiting review from an assigned reviewer label May 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

team-Local-Exec Issues and PRs for the Execution (Local) team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

linux-sandbox: TEST_TMPDIR from action env is used as -w bind mount without validation; TMPDIR is sanitized, TEST_TMPDIR is not

1 participant

@Ashutosh0x