fix(security): path traversal, shlex parsing, dead code cleanup

- Validate context_id against traversal (workspace.py)
- Use is_relative_to instead of startswith (subagents.py)
- Use shlex.split for interpreter/sources checks (permissions.py, executor.py)
- Remove duplicate _MAX_SUB_AGENT_ITERATIONS (subagents.py)
- Remove dead _BARE_DECISION_RE (reasoning.py)

Author: Ladas

a2a/sandbox_agent/src/sandbox_agent/executor.py

@@ -237,7 +237,10 @@ def _check_sources(self, operation: str) -> str | None:
         """
         import re
 
-        parts = operation.split()
+        try:
+            parts = shlex.split(operation)
+        except ValueError:
+            parts = operation.split()
         if not parts:
             return None
 

a2a/sandbox_agent/src/sandbox_agent/permissions.py

@@ -23,6 +23,7 @@
 import enum
 import fnmatch
 import re
+import shlex
 from typing import Any
 
 # ---------------------------------------------------------------------------
@@ -280,7 +281,10 @@ def check_interpreter_bypass(cls, operation: str) -> list[str]:
         if not operation:
             return []
 
-        parts = operation.split()
+        try:
+            parts = shlex.split(operation)
+        except ValueError:
+            parts = operation.split()
         if not parts:
             return []
 

a2a/sandbox_agent/src/sandbox_agent/reasoning.py

@@ -1813,6 +1813,3 @@ def _parse_decision(content: str | list) -> str:
             return decision
 
     return "continue"
-
-
-_BARE_DECISION_RE = re.compile(r"^(continue|retry|replan|done|hitl)\s*$", re.IGNORECASE)

a2a/sandbox_agent/src/sandbox_agent/subagents.py

@@ -40,9 +40,6 @@
 _DELEGATION_MODES = os.environ.get("DELEGATION_MODES", "in-process,shared-pvc,isolated,sidecar").split(",")
 _DEFAULT_MODE = os.environ.get("DEFAULT_DELEGATION_MODE", "in-process")
 
-# Maximum iterations for in-process sub-agents to prevent runaway loops.
-_MAX_SUB_AGENT_ITERATIONS = 15
-
 
 # ---------------------------------------------------------------------------
 # In-process sub-agent: explore (C20, mode 1)
@@ -109,7 +106,7 @@ async def read_file(path: str) -> str:
             File contents (truncated to 20000 chars).
         """
         resolved = (ws_root / path).resolve()
-        if not str(resolved).startswith(str(ws_root)):
+        if not resolved.is_relative_to(ws_root):
             return "Error: path resolves outside the workspace."
         if not resolved.is_file():
             return f"Error: file not found at '{path}'."

a2a/sandbox_agent/src/sandbox_agent/workspace.py

@@ -44,8 +44,15 @@ def __init__(
     # Public API
     # ------------------------------------------------------------------
 
+    @staticmethod
+    def _validate_context_id(context_id: str) -> None:
+        """Reject context IDs that could escape the workspace root."""
+        if not context_id or "/" in context_id or ".." in context_id or "\x00" in context_id:
+            raise ValueError(f"Invalid context_id: {context_id!r}")
+
     def get_workspace_path(self, context_id: str) -> str:
         """Return the workspace path for *context_id* without creating it."""
+        self._validate_context_id(context_id)
         return os.path.join(self.workspace_root, context_id)
 
     def ensure_workspace(self, context_id: str) -> str:
@@ -60,10 +67,9 @@ def ensure_workspace(self, context_id: str) -> str:
         Raises
         ------
         ValueError
-            If *context_id* is empty.
+            If *context_id* is empty or contains path-traversal characters.
         """
-        if not context_id:
-            raise ValueError("context_id must not be empty")
+        self._validate_context_id(context_id)
 
         workspace_path = self.get_workspace_path(context_id)
         context_file = Path(workspace_path) / ".context.json"