🤖 fix: block tilde paths from escaping workspace restrictions#1939
Merged
ethanndickson merged 1 commit intomainfrom Jan 30, 2026
Merged
🤖 fix: block tilde paths from escaping workspace restrictions#1939ethanndickson merged 1 commit intomainfrom
ethanndickson merged 1 commit intomainfrom
Conversation
ethanndickson
force-pushed
the
fix-tilde-path-escape
branch
3 times, most recently
from
0850489 to
ac13f13
Compare
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
Tilde-prefixed paths (e.g., ~/cmux/file.ts) could bypass workspace
directory restrictions because validatePathInCwd() checked the path
before tilde expansion. Node's path.isAbsolute('~/...') returns false,
so these paths were incorrectly treated as relative and resolved within
cwd, passing validation. The actual file operation then expanded the
tilde, accessing files outside the workspace.
Fix: expand tildes in validatePathInCwd() before path resolution so
validation sees the actual destination path.
Adds tests for tilde path rejection.
ethanndickson
force-pushed
the
fix-tilde-path-escape
branch
from
ac13f13 to
387fadb
Compare
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes a security bug where tilde-prefixed paths (e.g.,
~/cmux/file.ts) could bypass workspace directory restrictions, allowing agents to read/write files anywhere on the filesystem.Background
validatePathInCwd()checked paths before tilde expansion. Since Node'spath.isAbsolute('~/...')returnsfalse, tilde paths were treated as relative and incorrectly passed validation. The actual file operation then expanded the tilde, accessing files outside the workspace.Example attack: A workspace at
~/.mux/src/coder/worktree-xyzcould read~/cmux/src/secret.tsby using the tilde path, which would:~/.mux/src/coder/worktree-xyz/~/cmux/src/secret.ts- garbage but under cwd)/Users/ethan/cmux/src/secret.tsafter tilde expansionImplementation
Expand tildes in
validatePathInCwd()before path resolution so validation sees the actual destination path.Risks
Low - this is a strictly tighter security check. The only potential breakage would be if any legitimate use case relied on tilde paths to access files outside the workspace, which would be a bug anyway.
Generated with
mux• Model:anthropic:claude-opus-4-5• Thinking:high• Cost:$1.48