[Phase 1.1.1] Fix path traversal vulnerability in resolve()

[richard-devbot]

Phase

Phase 1 — Critical Security | Track 1.1 — Input Boundary Enforcement | Priority: P0 CRITICAL

Summary

The resolve() function in operator_use/utils/helper.py allows absolute paths to bypass workspace boundaries, enabling the LLM to read/write any file on the system.

Vulnerability Details

File: operator_use/utils/helper.py:14-22
CWE: CWE-22 — Path Traversal

Current code:
```python
def resolve(base, path):
path = Path(path)
if path.is_absolute():
return path.resolve() # No boundary check!
```

Attack vector: LLM can call read_file(path="/etc/passwd") or write_file(path="/root/.ssh/authorized_keys", content="...") and it works.

Affected tools: read_file, write_file, edit_file, list_dir, patch_file

Fix

```python
def resolve(base: str | Path, path: str | Path) -> Path:
base = Path(base).resolve()
resolved = (base / Path(path)).resolve()
if not str(resolved).startswith(str(base)):
raise PermissionError(
f"Path traversal blocked: {path!r} resolves outside workspace {base}"
)
return resolved
```

Acceptance Criteria

• resolve() raises PermissionError for paths outside workspace
• Absolute paths are blocked or resolved relative to workspace
• ../ traversal is blocked
• Symlinks pointing outside workspace are blocked
• All filesystem tools use the hardened resolve()
• Security tests in tests/security/test_path_traversal.py
• Tests cover: absolute paths, ../ sequences, symlinks, unicode, null bytes

References

• OWASP Path Traversal
• CWE-22
• Design Doc: docs/plans/2026-03-29-security-ai-guardrails-performance-design.md

Blocked By

#7 (security test scaffold), #12 (guardrails module)