From fc0cfd1e2ff3283d00d9a6da51bce29139cdc627 Mon Sep 17 00:00:00 2001 From: vominh1919 Date: Thu, 23 Apr 2026 17:19:36 +0700 Subject: [PATCH] fix(agent): scope subdirectory hint discovery to workspace directory SubdirectoryHintTracker._is_valid_subdir() did not check whether the candidate directory is inside the configured working_dir. This allowed tool calls that touch files in unrelated directories to inject AGENTS.md, CLAUDE.md, or .cursorrules content from completely different projects into the agent context, causing instruction contamination. Add a workspace boundary check using Path.relative_to() so only directories inside working_dir are scanned for hint files. Fixes #14471 --- agent/subdirectory_hints.py | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/agent/subdirectory_hints.py b/agent/subdirectory_hints.py index dcc514b9014..00403b1774a 100644 --- a/agent/subdirectory_hints.py +++ b/agent/subdirectory_hints.py @@ -158,7 +158,12 @@ class SubdirectoryHintTracker: self._add_path_candidate(token, candidates) def _is_valid_subdir(self, path: Path) -> bool: - """Check if path is a valid directory to scan for hints.""" + """Check if path is a valid directory to scan for hints. + + Only allows directories inside the configured working_dir to prevent + unrelated instruction files from being injected into the agent context + (e.g., an AGENTS.md from a completely different project). + """ try: if not path.is_dir(): return False @@ -166,6 +171,15 @@ class SubdirectoryHintTracker: return False if path in self._loaded_dirs: return False + # Scope to workspace — only scan directories inside working_dir + try: + path.relative_to(self.working_dir) + except ValueError: + logger.debug( + "Skipping subdirectory hint for %s: outside working_dir %s", + path, self.working_dir, + ) + return False return True def _load_hints_for_directory(self, directory: Path) -> Optional[str]: