fix(server): add size limit to directory injection in SandboxWorkspaceManager (#917)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: FelixTJDietrich

server/application-server/src/main/java/de/tum/in/www1/hephaestus/agent/sandbox/SandboxProperties.java

@@ -41,6 +41,8 @@
  * @param llmProxyPort port on which the LLM proxy listens (inside the app-server container)
  * @param appServerContainerId Docker container ID of the app-server (null=auto-detect from
  *     HOSTNAME)
+ * @param maxDirectoryBytes maximum total bytes for directory injection via tar (default 1 GB)
+ * @param maxDirectoryEntries maximum entry count for directory injection (default 500,000)
  * @param defaultResourceLimits default resource constraints for containers
  */
 @Validated
@@ -56,6 +58,8 @@ public record SandboxProperties(
     @Nullable String containerRuntime,
     @DefaultValue("8080") @Min(1) int llmProxyPort,
     @Nullable String appServerContainerId,
+    @DefaultValue("1073741824") @Min(1) long maxDirectoryBytes, // 1 GB
+    @DefaultValue("500000") @Min(1) int maxDirectoryEntries,
     @Valid DefaultResourceLimits defaultResourceLimits
 ) {
     public SandboxProperties {

server/application-server/src/main/java/de/tum/in/www1/hephaestus/agent/sandbox/docker/DockerSandboxConfiguration.java

@@ -96,8 +96,14 @@ public SandboxNetworkManager sandboxNetworkManager(DockerClientOperations ops, S
     }
 
     @Bean
-    public SandboxWorkspaceManager sandboxWorkspaceManager(DockerClientOperations ops) {
-        return new SandboxWorkspaceManager(ops);
+    public SandboxWorkspaceManager sandboxWorkspaceManager(DockerClientOperations ops, SandboxProperties properties) {
+        return new SandboxWorkspaceManager(
+            ops,
+            SandboxWorkspaceManager.MAX_OUTPUT_BYTES,
+            SandboxWorkspaceManager.MAX_SINGLE_FILE_BYTES,
+            properties.maxDirectoryBytes(),
+            properties.maxDirectoryEntries()
+        );
     }
 
     /**

server/application-server/src/main/java/de/tum/in/www1/hephaestus/agent/sandbox/docker/SandboxWorkspaceManager.java

@@ -1,14 +1,18 @@
 package de.tum.in.www1.hephaestus.agent.sandbox.docker;
 
 import de.tum.in.www1.hephaestus.agent.sandbox.spi.SandboxException;
+import java.io.BufferedInputStream;
+import java.io.BufferedOutputStream;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.OutputStream;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.stream.Stream;
 import org.apache.commons.compress.archivers.tar.TarArchiveEntry;
 import org.apache.commons.compress.archivers.tar.TarArchiveInputStream;
 import org.apache.commons.compress.archivers.tar.TarArchiveOutputStream;
@@ -34,19 +38,38 @@ public class SandboxWorkspaceManager {
     /** Maximum total size of injected input files (50 MB). */
     static final long MAX_INPUT_BYTES = 50L * 1024 * 1024;
 
+    /** Maximum total size of a directory injected via tar (1 GB). */
+    static final long MAX_DIRECTORY_BYTES = 1024L * 1024 * 1024;
+
+    /** Maximum number of entries (files + directories) in a directory injection. */
+    static final int MAX_DIRECTORY_ENTRIES = 500_000;
+
+    /** Maximum directory tree depth for walk operations. */
+    static final int MAX_WALK_DEPTH = 50;
+
     private final DockerFileOperations fileOps;
     private final long maxOutputBytes;
     private final long maxSingleFileBytes;
+    private final long maxDirectoryBytes;
+    private final int maxDirectoryEntries;
 
     public SandboxWorkspaceManager(DockerFileOperations fileOps) {
-        this(fileOps, MAX_OUTPUT_BYTES, MAX_SINGLE_FILE_BYTES);
+        this(fileOps, MAX_OUTPUT_BYTES, MAX_SINGLE_FILE_BYTES, MAX_DIRECTORY_BYTES, MAX_DIRECTORY_ENTRIES);
     }
 
-    /** Package-private constructor for testing with smaller limits. */
-    SandboxWorkspaceManager(DockerFileOperations fileOps, long maxOutputBytes, long maxSingleFileBytes) {
+    /** Package-private constructor for testing with custom limits. */
+    SandboxWorkspaceManager(
+        DockerFileOperations fileOps,
+        long maxOutputBytes,
+        long maxSingleFileBytes,
+        long maxDirectoryBytes,
+        int maxDirectoryEntries
+    ) {
         this.fileOps = fileOps;
         this.maxOutputBytes = maxOutputBytes;
         this.maxSingleFileBytes = maxSingleFileBytes;
+        this.maxDirectoryBytes = maxDirectoryBytes;
+        this.maxDirectoryEntries = maxDirectoryEntries;
     }
 
     /**
@@ -93,29 +116,78 @@ public void injectDirectories(String containerId, Map<String, String> directoryM
     }
 
     /**
-     * Walk a host directory, create a tar archive, and copy it into the container.
-     * The tar entries are prefixed with the final path component so that extracting at
-     * the parent of containerPath produces the correct layout.
+     * Walk a host directory, create a tar archive on a temp file, and stream it into the container.
+     *
+     * <p>Uses a temporary file instead of {@link ByteArrayOutputStream} to avoid loading the entire
+     * archive into JVM heap. Memory usage is O(buffer_size) regardless of directory size, since each
+     * file is streamed through a fixed buffer. The docker-java transport streams the tar lazily via
+     * chunked transfer encoding — no additional buffering occurs downstream.
+     *
+     * <p>The tar entries are prefixed with the final path component so that extracting at the parent
+     * of containerPath produces the correct layout.
      */
     private void injectDirectoryViaTar(String containerId, String hostPath, String containerPath) {
         Path hostDir = Path.of(hostPath);
-        // Container path parent is where we extract; the tar has the dir name as prefix
         Path containerParent = Path.of(containerPath).getParent();
         String dirName = Path.of(containerPath).getFileName().toString();
         if (containerParent == null) {
             containerParent = Path.of("/");
         }
 
+        Path tempTar = null;
+        try {
+            tempTar = Files.createTempFile("hephaestus-inject-", ".tar");
+
+            // Phase 1: Walk directory and write tar to temp file.
+            // Memory: O(COPY_BUFFER_SIZE) — each file is streamed, never loaded whole.
+            writeTarToFile(tempTar, hostDir, dirName, hostPath);
+
+            // Phase 2: Stream tar from disk to Docker daemon.
+            // docker-java wraps this in InputStreamEntity (chunked transfer) — no heap copy.
+            try (InputStream tarStream = new BufferedInputStream(Files.newInputStream(tempTar))) {
+                fileOps.copyArchiveToContainer(containerId, containerParent.toString(), tarStream);
+            }
+        } catch (IOException e) {
+            throw new SandboxException("Failed to inject directory " + hostPath + " into container " + containerId, e);
+        } finally {
+            if (tempTar != null) {
+                try {
+                    Files.deleteIfExists(tempTar);
+                } catch (IOException e) {
+                    log.warn("Failed to delete temp tar file {}: {}", tempTar, e.getMessage());
+                }
+            }
+        }
+    }
+
+    /** Buffer size for streaming file contents into the tar archive (64 KB). */
+    private static final int COPY_BUFFER_SIZE = 64 * 1024;
+
+    /**
+     * Write a tar archive of the given directory to a file on disk. Files are streamed through a
+     * fixed-size buffer rather than loaded entirely into memory.
+     */
+    private void writeTarToFile(Path tarFile, Path hostDir, String dirName, String hostPath) throws IOException {
+        long[] totalBytes = { 0 };
+        int[] entryCount = { 0 };
+
         try (
-            ByteArrayOutputStream baos = new ByteArrayOutputStream();
-            TarArchiveOutputStream tar = new TarArchiveOutputStream(baos)
+            OutputStream fileOut = new BufferedOutputStream(Files.newOutputStream(tarFile), COPY_BUFFER_SIZE);
+            TarArchiveOutputStream tar = new TarArchiveOutputStream(fileOut);
+            Stream<Path> paths = Files.walk(hostDir, MAX_WALK_DEPTH)
         ) {
             tar.setLongFileMode(TarArchiveOutputStream.LONGFILE_POSIX);
             tar.setBigNumberMode(TarArchiveOutputStream.BIGNUMBER_POSIX);
 
-            // Walk the directory tree and add each file/directory
-            Files.walk(hostDir).forEach(path -> {
+            paths.forEach(path -> {
                 try {
+                    entryCount[0]++;
+                    if (entryCount[0] > maxDirectoryEntries) {
+                        throw new SandboxException(
+                            "Directory injection exceeds entry count limit (" + maxDirectoryEntries + "): " + hostPath
+                        );
+                    }
+
                     String relativePath = hostDir.relativize(path).toString();
                     String entryName = relativePath.isEmpty() ? dirName : dirName + "/" + relativePath;
 
@@ -125,27 +197,33 @@ private void injectDirectoryViaTar(String containerId, String hostPath, String c
                         tar.putArchiveEntry(dirEntry);
                         tar.closeArchiveEntry();
                     } else if (Files.isRegularFile(path)) {
-                        byte[] content = Files.readAllBytes(path);
+                        long fileSize = Files.size(path);
+                        totalBytes[0] += fileSize;
+                        if (totalBytes[0] > maxDirectoryBytes) {
+                            throw new SandboxException(
+                                "Directory injection exceeds size limit (" + maxDirectoryBytes + " bytes): " + hostPath
+                            );
+                        }
+
                         TarArchiveEntry fileEntry = new TarArchiveEntry(entryName);
-                        fileEntry.setSize(content.length);
+                        fileEntry.setSize(fileSize);
                         fileEntry.setModTime(Files.getLastModifiedTime(path).toMillis());
                         tar.putArchiveEntry(fileEntry);
-                        tar.write(content);
+
+                        // Stream file through fixed buffer — not Files.readAllBytes()
+                        try (InputStream fileIn = Files.newInputStream(path)) {
+                            fileIn.transferTo(tar);
+                        }
                         tar.closeArchiveEntry();
                     }
-                    // Skip symlinks for security (already validated above)
+                    // Symlinks are silently skipped: Files.walk() does not follow them by default,
+                    // and Files.isRegularFile/isDirectory return false for unresolved symlinks.
                 } catch (IOException e) {
                     throw new SandboxException("Failed to add file to tar: " + path, e);
                 }
             });
 
             tar.finish();
-
-            try (InputStream tarStream = new ByteArrayInputStream(baos.toByteArray())) {
-                fileOps.copyArchiveToContainer(containerId, containerParent.toString(), tarStream);
-            }
-        } catch (IOException e) {
-            throw new SandboxException("Failed to inject directory " + hostPath + " into container " + containerId, e);
         }
     }
 

server/application-server/src/main/resources/application.yml

@@ -424,6 +424,8 @@ hephaestus:
         # OCI runtime: null=runc (default), "runsc"=gVisor (recommended for production)
         container-runtime: ${SANDBOX_CONTAINER_RUNTIME:}
         llm-proxy-port: ${SANDBOX_LLM_PROXY_PORT:8080}
+        max-directory-bytes: ${SANDBOX_MAX_DIRECTORY_BYTES:1073741824}  # 1 GB
+        max-directory-entries: ${SANDBOX_MAX_DIRECTORY_ENTRIES:500000}
         default-resource-limits:
             memory-bytes: ${SANDBOX_MEMORY_BYTES:4294967296}  # 4 GB (includes tmpfs)
             cpus: ${SANDBOX_CPUS:2.0}

server/application-server/src/test/java/de/tum/in/www1/hephaestus/agent/sandbox/docker/ContainerSecurityPolicyTest.java

@@ -34,6 +34,8 @@ void setUp() {
             null,
             8080,
             null,
+            209_715_200L,
+            500_000,
             null
         );
         securityPolicy = new ContainerSecurityPolicy(properties, null);
@@ -205,6 +207,8 @@ void shouldUseGlobalRuntime() {
                 "runsc",
                 8080,
                 null,
+                209_715_200L,
+                500_000,
                 null
             );
             ContainerSecurityPolicy policyWithRuntime = new ContainerSecurityPolicy(propsWithRuntime, null);
@@ -265,6 +269,8 @@ void shouldIncludeSeccompWhenProvided() {
                     null,
                     8080,
                     null,
+                    209_715_200L,
+                    500_000,
                     null
                 ),
                 "{\"defaultAction\":\"SCMP_ACT_ERRNO\"}"
@@ -497,6 +503,8 @@ void shouldPreventRuntimeDowngrade() {
                 "runsc",
                 8080,
                 null,
+                209_715_200L,
+                500_000,
                 null
             );
             ContainerSecurityPolicy policyWithRuntime = new ContainerSecurityPolicy(propsWithRuntime, null);

server/application-server/src/test/java/de/tum/in/www1/hephaestus/agent/sandbox/docker/DockerHealthIndicatorTest.java

@@ -34,6 +34,8 @@ void setUp() {
             null,
             8080,
             null,
+            209_715_200L,
+            500_000,
             null
         );
         indicator = new DockerHealthIndicator(containerManager, properties);

server/application-server/src/test/java/de/tum/in/www1/hephaestus/agent/sandbox/docker/DockerSandboxAdapterTest.java

@@ -91,6 +91,8 @@ void setUp() {
             null,
             8080,
             null,
+            209_715_200L,
+            500_000,
             null
         );
         meterRegistry = new SimpleMeterRegistry();

server/application-server/src/test/java/de/tum/in/www1/hephaestus/agent/sandbox/docker/DockerSandboxLiveTest.java

@@ -69,6 +69,8 @@ void setUp() {
             null,
             8080,
             null,
+            209_715_200L,
+            500_000,
             null
         );
 

server/application-server/src/test/java/de/tum/in/www1/hephaestus/agent/sandbox/docker/SandboxContainerManagerTest.java

@@ -47,6 +47,8 @@ void setUp() {
             null,
             8080,
             null,
+            209_715_200L,
+            500_000,
             null
         );
         executor = Executors.newSingleThreadExecutor();

server/application-server/src/test/java/de/tum/in/www1/hephaestus/agent/sandbox/docker/SandboxNetworkManagerTest.java

@@ -42,6 +42,8 @@ void setUp() {
             null,
             8080,
             "app-server-id",
+            209_715_200L,
+            500_000,
             null
         );
         manager = new SandboxNetworkManager(networkOps, properties);
@@ -102,6 +104,8 @@ void shouldFallBackToHostname() {
                 null,
                 8080,
                 null,
+                209_715_200L,
+                500_000,
                 null
             );
             SandboxNetworkManager mgr = new SandboxNetworkManager(networkOps, propsNoId, () -> "hostname-container-id");
@@ -128,6 +132,8 @@ void shouldReturnNullWhenNoContainerId() {
                 null,
                 8080,
                 null,
+                209_715_200L,
+                500_000,
                 null
             );
             SandboxNetworkManager mgr = new SandboxNetworkManager(networkOps, propsNoId, () -> null);
@@ -151,6 +157,8 @@ void shouldReturnNullWhenHostnameBlank() {
                 null,
                 8080,
                 null,
+                209_715_200L,
+                500_000,
                 null
             );
             SandboxNetworkManager mgr = new SandboxNetworkManager(networkOps, propsNoId, () -> "  ");
@@ -175,6 +183,8 @@ void shouldCacheContainerId() {
                 null,
                 8080,
                 null,
+                209_715_200L,
+                500_000,
                 null
             );
             SandboxNetworkManager mgr = new SandboxNetworkManager(networkOps, propsNoId, () -> {
@@ -217,6 +227,8 @@ void shouldNoOpWhenNoContainerId() {
                 null,
                 8080,
                 null,
+                209_715_200L,
+                500_000,
                 null
             );
             SandboxNetworkManager mgr = new SandboxNetworkManager(networkOps, propsNoId, () -> null);