[Security] Address critical host-shell escape in LocalSandboxProvider (#1547)

* fix(security): disable host bash by default in local sandbox

* fix(security): address review feedback for local bash hardening

* fix(ci): sort live test imports for lint

* style: apply backend formatter

---------

Co-authored-by: Willem Jiang <willem.jiang@gmail.com>

backend/packages/harness/deerflow/sandbox/security.py

@@ -0,0 +1,45 @@
+"""Security helpers for sandbox capability gating."""
+
+from deerflow.config import get_app_config
+
+_LOCAL_SANDBOX_PROVIDER_MARKERS = (
+    "deerflow.sandbox.local:LocalSandboxProvider",
+    "deerflow.sandbox.local.local_sandbox_provider:LocalSandboxProvider",
+)
+
+LOCAL_HOST_BASH_DISABLED_MESSAGE = (
+    "Host bash execution is disabled for LocalSandboxProvider because it is not a secure "
+    "sandbox boundary. Switch to AioSandboxProvider for isolated bash access, or set "
+    "sandbox.allow_host_bash: true only in a fully trusted local environment."
+)
+
+LOCAL_BASH_SUBAGENT_DISABLED_MESSAGE = (
+    "Bash subagent is disabled for LocalSandboxProvider because host bash execution is not "
+    "a secure sandbox boundary. Switch to AioSandboxProvider for isolated bash access, or "
+    "set sandbox.allow_host_bash: true only in a fully trusted local environment."
+)
+
+
+def uses_local_sandbox_provider(config=None) -> bool:
+    """Return True when the active sandbox provider is the host-local provider."""
+    if config is None:
+        config = get_app_config()
+
+    sandbox_cfg = getattr(config, "sandbox", None)
+    sandbox_use = getattr(sandbox_cfg, "use", "")
+    if sandbox_use in _LOCAL_SANDBOX_PROVIDER_MARKERS:
+        return True
+    return sandbox_use.endswith(":LocalSandboxProvider") and "deerflow.sandbox.local" in sandbox_use
+
+
+def is_host_bash_allowed(config=None) -> bool:
+    """Return whether host bash execution is explicitly allowed."""
+    if config is None:
+        config = get_app_config()
+
+    sandbox_cfg = getattr(config, "sandbox", None)
+    if sandbox_cfg is None:
+        return True
+    if not uses_local_sandbox_provider(config):
+        return True
+    return bool(getattr(sandbox_cfg, "allow_host_bash", False))

backend/packages/harness/deerflow/sandbox/tools.py

@@ -14,6 +14,7 @@ from deerflow.sandbox.exceptions import (
 )
 from deerflow.sandbox.sandbox import Sandbox
 from deerflow.sandbox.sandbox_provider import get_sandbox_provider
+from deerflow.sandbox.security import LOCAL_HOST_BASH_DISABLED_MESSAGE, is_host_bash_allowed
 
 _ABSOLUTE_PATH_PATTERN = re.compile(r"(?<![:\w])/(?:[^\s\"'`;&|<>()]+)")
 _LOCAL_BASH_SYSTEM_PATH_PREFIXES = (
@@ -499,6 +500,10 @@ def _resolve_and_validate_user_data_path(path: str, thread_data: ThreadDataState
 def validate_local_bash_command_paths(command: str, thread_data: ThreadDataState | None) -> None:
     """Validate absolute paths in local-sandbox bash commands.
 
+    This validation is only a best-effort guard for the explicit
+    ``sandbox.allow_host_bash: true`` opt-in. It is not a secure sandbox
+    boundary and must not be treated as isolation from the host filesystem.
+
     In local mode, commands must use virtual paths under /mnt/user-data for
     user data access. Skills paths under /mnt/skills and ACP workspace paths
     under /mnt/acp-workspace are allowed (path-traversal checks only; write
@@ -750,13 +755,16 @@ def bash_tool(runtime: ToolRuntime[ContextT, ThreadState], description: str, com
     """
     try:
         sandbox = ensure_sandbox_initialized(runtime)
-        ensure_thread_directories_exist(runtime)
-        thread_data = get_thread_data(runtime)
         if is_local_sandbox(runtime):
+            if not is_host_bash_allowed():
+                return f"Error: {LOCAL_HOST_BASH_DISABLED_MESSAGE}"
+            ensure_thread_directories_exist(runtime)
+            thread_data = get_thread_data(runtime)
             validate_local_bash_command_paths(command, thread_data)
             command = replace_virtual_paths_in_command(command, thread_data)
             output = sandbox.execute_command(command)
             return mask_local_paths_in_output(output, thread_data)
+        ensure_thread_directories_exist(runtime)
         return sandbox.execute_command(command)
     except SandboxError as e:
         return f"Error: {e}"