From f4207cd1dcdee72249a1ec4d2dae05df178a2463 Mon Sep 17 00:00:00 2001
From: rabbitblood <hongmingwangrabbit@gmail.com>
Date: Wed, 22 Apr 2026 15:42:50 -0700
Subject: [PATCH] fix(F1085): scope rm to /configs/<path> not /configs + <path>

rm received /configs and filePath as two separate arguments, deleting
the entire /configs dir on every call. Concatenate to target only the
intended file. validateRelPath already prevents traversal, so this is
a logic bug not a security vulnerability.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 workspace-server/internal/handlers/container_files.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/workspace-server/internal/handlers/container_files.go b/workspace-server/internal/handlers/container_files.go
index 349ab53b..70ec7c36 100644
--- a/workspace-server/internal/handlers/container_files.go
+++ b/workspace-server/internal/handlers/container_files.go
@@ -171,7 +171,7 @@ func (h *TemplatesHandler) deleteViaEphemeral(ctx context.Context, volumeName, f
 
 	resp, err := h.docker.ContainerCreate(ctx, &container.Config{
 		Image: "alpine:latest",
-		Cmd:   []string{"rm", "-rf", "/configs", filePath},
+		Cmd:   []string{"rm", "-rf", "/configs/" + filePath},
 	}, &container.HostConfig{
 		Binds: []string{volumeName + ":/configs"},
 	}, nil, nil, "")