bazelbuild · Ashutosh0x · May 26, 2026
diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/AbstractSandboxSpawnRunner.java b/src/main/java/com/google/devtools/build/lib/sandbox/AbstractSandboxSpawnRunner.java
@@ -55,6 +55,7 @@
 import com.google.devtools.build.lib.util.io.FileOutErr;
 import com.google.devtools.build.lib.vfs.FileSystem;
 import com.google.devtools.build.lib.vfs.Path;
+import com.google.devtools.build.lib.vfs.PathFragment;
 import java.io.IOException;
 import java.io.InputStream;
 import java.time.Duration;
@@ -363,6 +364,10 @@ protected ImmutableSet<Path> getWritableDirs(Path sandboxExecRoot, Map<String, S
 
     String testTmpdir = env.get("TEST_TMPDIR");
     if (testTmpdir != null) {
+      // Validate that TEST_TMPDIR does not contain path traversal sequences.
+      // Unlike TMPDIR (sanitized by PosixLocalEnvProvider, see #3296),
+      // TEST_TMPDIR is passed through unvalidated from the action environment.
+      validateTestTmpdir(testTmpdir, sandboxExecRoot);
       addWritablePath(
           sandboxExecRoot,
           writablePaths,
@@ -434,6 +439,24 @@ private static void addWritablePath(
     }
   }
 
+  /**
+   * Validates that TEST_TMPDIR does not contain path traversal sequences.
+   *
+   * <p>Absolute TEST_TMPDIR values are legitimate (set via --test_tmpdir).
+   * The concern is '../' traversal in relative paths escaping sandboxExecRoot.
+   */
+  private static void validateTestTmpdir(String testTmpdir, Path sandboxExecRoot)
+      throws IOException {
+    PathFragment fragment = PathFragment.create(testTmpdir);
+    if (fragment.containsUplevelReferences()) {
+      throw new IOException(
+          String.format(
+              "TEST_TMPDIR must not contain '..' path traversal (it could escape the sandbox),"
+                  + " got: \"%s\" (sandboxExecRoot: %s)",
+              testTmpdir, sandboxExecRoot.getPathString()));
+    }
+  }
+
   protected ImmutableSet<Path> getInaccessiblePaths() {
     return inaccessiblePaths;
   }