base path restriction for FileEditor

openhands-tools/openhands/tools/file_editor/definition.py

@@ -184,6 +184,8 @@ def _has_meaningful_diff(self) -> bool:
 
 3. REPLACEMENT: The `new_str` parameter should contain the edited lines that replace the `old_str`. Both strings must be different.
 
+4. BASE PATH RESTRICTION: All file operations are restricted to a base directory for security. Attempts to access files outside this directory will be rejected.
+
 Remember: when making multiple file edits in a row to the same file, you should prefer to send all edits in a single message with multiple calls to this tool, rather than multiple messages with a single call each.
 """  # noqa: E501
 
@@ -195,19 +197,26 @@ class FileEditorTool(ToolDefinition[FileEditorAction, FileEditorObservation]):
     def create(
         cls,
         conv_state: "ConversationState",
+        base_path: str | None = None,
     ) -> Sequence["FileEditorTool"]:
         """Initialize FileEditorTool with a FileEditorExecutor.
 
         Args:
             conv_state: Conversation state to get working directory from.
                          If provided, workspace_root will be taken from
                          conv_state.workspace
+            base_path:  Optional base directory that restricts all file operations.
+                         When set, all file paths must be within this directory.
+                         If None, defaults to workspace.working_dir for security.
         """
         # Import here to avoid circular imports
         from openhands.tools.file_editor.impl import FileEditorExecutor
 
         # Initialize the executor
-        executor = FileEditorExecutor(workspace_root=conv_state.workspace.working_dir)
+        executor = FileEditorExecutor(
+            workspace_root=conv_state.workspace.working_dir,
+            base_path=base_path or conv_state.workspace.working_dir,
+        )
 
         # Build the tool description with conditional image viewing support
         # Split TOOL_DESCRIPTION to insert image viewing line after the second bullet

openhands-tools/openhands/tools/file_editor/editor.py

@@ -60,10 +60,12 @@ class FileEditor:
     _max_file_size: int
     _encoding_manager: EncodingManager
     _cwd: str
+    _base_path: Path | None
 
     def __init__(
         self,
         workspace_root: str | None = None,
+        base_path: str | None = None,
         max_file_size_mb: int | None = None,
     ):
         """Initialize the editor.
@@ -74,6 +76,9 @@ def __init__(
             workspace_root: Root directory that serves as the current working
                 directory for relative path suggestions. Must be an absolute path.
                 If None, no path suggestions will be provided for relative paths.
+            base_path: Base directory that restricts all file operations. When set,
+                all file paths must be within this directory. Must be an absolute path.
+                If None, no path restrictions are enforced.
         """
         self._history_manager = FileHistoryManager(max_history_per_file=10)
         self._max_file_size = (
@@ -83,6 +88,17 @@ def __init__(
         # Initialize encoding manager
         self._encoding_manager = EncodingManager()
 
+        # Set base_path for security enforcement
+        if base_path is not None:
+            base_path_obj = Path(base_path)
+            # Ensure base_path is an absolute path
+            if not base_path_obj.is_absolute():
+                base_path_obj = base_path_obj.resolve()
+            self._base_path = base_path_obj
+            logger.info(f"FileEditor base path restriction enabled: {self._base_path}")
+        else:
+            self._base_path = None
+
         # Set cwd (current working directory) if workspace_root is provided
         if workspace_root is not None:
             workspace_path = Path(workspace_root)
@@ -551,7 +567,8 @@ def validate_path(self, command: CommandLiteral, path: Path) -> None:
 
         Validates:
         1. Path is absolute
-        2. Path and command are compatible
+        2. Path is within base_path (if set)
+        3. Path and command are compatible
         """
         # Check if its an absolute path
         if not path.is_absolute():
@@ -571,6 +588,22 @@ def validate_path(self, command: CommandLiteral, path: Path) -> None:
                 suggestion_message,
             )
 
+        # Check if path is within base_path (if set)
+        if self._base_path is not None:
+            # Resolve the path to handle symlinks and relative components
+            resolved_path = path.resolve(strict=False)
+
+            # Check if resolved path is within base_path
+            try:
+                resolved_path.relative_to(self._base_path)
+            except ValueError:
+                raise EditorToolParameterInvalidError(
+                    "path",
+                    str(path),
+                    f"Path is outside the allowed base path. All file operations must "
+                    f"be within: {self._base_path}",
+                )
+
         # Check if path and command are compatible
         if command == "create" and path.exists():
             raise EditorToolParameterInvalidError(

openhands-tools/openhands/tools/file_editor/impl.py

@@ -25,9 +25,12 @@ class FileEditorExecutor(ToolExecutor):
     def __init__(
         self,
         workspace_root: str | None = None,
+        base_path: str | None = None,
         allowed_edits_files: list[str] | None = None,
     ):
-        self.editor: FileEditor = FileEditor(workspace_root=workspace_root)
+        self.editor: FileEditor = FileEditor(
+            workspace_root=workspace_root, base_path=base_path
+        )
         self.allowed_edits_files: set[Path] | None = (
             {Path(f).resolve() for f in allowed_edits_files}
             if allowed_edits_files