AllowedPathResolver

llm_coding_tools_core::path

Struct AllowedPathResolver 

Source 
pub struct AllowedPathResolver { /* private fields */ }
Expand description

Path resolver that restricts access to allowed directories.

Paths are resolved relative to configured base directories. Prevents path traversal attacks by validating resolved paths stay within allowed boundaries.

§Security

This resolver protects against path traversal by:

  1. Canonicalizing the resolved path to eliminate .. and symlinks
  2. Verifying the result starts with an allowed base directory

§Bash Tool Bypasses Path Restrictions

When the bash/shell tool is enabled, this resolver’s protections are effectively advisory. The bash tool permits arbitrary shell commands, meaning an LLM can directly read, write, or delete any file the process has OS-level permissions for (e.g., cat /etc/passwd, rm -rf /, curl ... | sh).

This resolver only restricts the structured file operations (read, write, edit, glob, grep). If your threat model requires actual filesystem sandboxing, you must either:

  • Disable the bash tool entirely, or
  • Run the process in an OS-level sandbox (containers, seccomp, landlock, etc.)

Implementations§

Source§

impl AllowedPathResolver

Source

pub fn new( allowed_paths: impl IntoIterator<Item = impl AsRef<Path>>, ) -> ToolResult<Self>

Creates a new resolver with the given allowed directories.

Each directory is canonicalized during construction to ensure consistent path comparison. Returns an error if any directory doesn’t exist or can’t be canonicalized.

Source

pub fn from_canonical( allowed_paths: impl IntoIterator<Item = impl AsRef<Path>>, ) -> Self

Creates a resolver from already-canonicalized paths.

Use this when paths are known to be valid and canonicalized, skipping the filesystem check.

§Safety

Caller must ensure paths are actually canonical. Using non-canonical paths may allow path traversal attacks.

Source

pub fn allowed_paths(&self) -> &[PathBuf]

Returns the allowed base directories.

Trait Implementations§

Source§

impl Clone for AllowedPathResolver

Source§

fn clone(&self) -> AllowedPathResolver

Returns a duplicate of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for AllowedPathResolver

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl PathResolver for AllowedPathResolver

Source§

fn resolve(&self, path: &str) -> ToolResult<PathBuf>

Resolves and validates a path string. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> DynClone for T
where T: Clone,

Source§

fn __clone_box(&self, _: Private) -> *mut ()

Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> Pointable for T

Source§

const ALIGN: usize

The alignment of pointer.
Source§

type Init = T

The type for initializers.
Source§

unsafe fn init(init: <T as Pointable>::Init) -> usize

Initializes a with the given initializer. Read more
Source§

unsafe fn deref<'a>(ptr: usize) -> &'a T

Dereferences the given pointer. Read more
Source§

unsafe fn deref_mut<'a>(ptr: usize) -> &'a mut T

Mutably dereferences the given pointer. Read more
Source§

unsafe fn drop(ptr: usize)

Drops the object pointed to by the given pointer. Read more
Source§

impl<T> PolicyExt for T
where T: ?Sized,

Source§

fn and<P, B, E>(self, other: P) -> And<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow only if self and other return Action::Follow. Read more
Source§

fn or<P, B, E>(self, other: P) -> Or<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow if either self or other returns Action::Follow. Read more
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more