fix: restrict execute_code filenames to work_dir

[wolfkill]

Summary

• Constrain execute_code filenames to resolved paths inside work_dir before writing or executing generated code.
• Reject absolute filenames and relative paths that escape work_dir.
• Add regression coverage for path traversal, absolute paths, and safe nested relative filenames.

Root Cause / 根因

CodeAction can pass a model-generated # filename: header into execute_code. The previous implementation joined work_dir and filename directly, so a normalized path like ../outside.py could point outside the intended workspace before file creation.

Validation / 测试

• RED test before fix: PYTHONPATH=packages/dbgpt-core/src .venv/bin/python -m pytest packages/dbgpt-core/src/dbgpt/util/tests/test_code_utils.py -q failed with DID NOT RAISE ValueError.
• PYTHONPATH=packages/dbgpt-core/src .venv/bin/python -m pytest packages/dbgpt-core/src/dbgpt/util/tests/test_code_utils.py -q -> 3 passed.
• PYTHONPATH=packages/dbgpt-core/src .venv/bin/python -m pytest packages/dbgpt-core/src/dbgpt/util/tests -q -> 168 passed.
• .venv/bin/ruff check packages/dbgpt-core/src/dbgpt/util/code_utils.py packages/dbgpt-core/src/dbgpt/util/tests/test_code_utils.py -> passed.
• .venv/bin/ruff format --check packages/dbgpt-core/src/dbgpt/util/code_utils.py packages/dbgpt-core/src/dbgpt/util/tests/test_code_utils.py -> passed.
• git diff --check -> passed.
• Manual smoke test confirmed ../outside.py is blocked and no outside file is created.

Fixes #3025.
Fixes #3048.

[Copilot]

Pull request overview

This PR hardens dbgpt.util.code_utils.execute_code against path traversal by ensuring any model-provided # filename: is constrained to a resolved path within work_dir, preventing arbitrary file writes/execution outside the intended workspace.

Changes:

• Added _resolve_work_dir_filepath() to validate filenames are relative and remain inside work_dir after resolution (including symlink traversal).
• Updated execute_code() to use the validated resolved filepath instead of os.path.join(work_dir, filename).
• Added regression tests covering .. traversal, absolute paths, safe nested relative paths, and symlink escapes.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
packages/dbgpt-core/src/dbgpt/util/code_utils.py	Enforces resolved filename paths remain within work_dir before writing/executing.
packages/dbgpt-core/src/dbgpt/util/tests/test_code_utils.py	Adds regression tests for traversal/absolute/symlink escape and a safe nested-path case.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[chenliang15405]

Thanks for the security fix! The path traversal protection is well-implemented with proper test coverage.

A couple of notes:

• Consider documenting the symlink behavior for environments where symlinks are supported
• This is technically a breaking change for code relying on the previous behavior - worth noting in the changelog

Overall LGTM 👍

[wolfkill]

Thanks for the security fix! The path traversal protection is well-implemented with proper test coverage.

A couple of notes:

• Consider documenting the symlink behavior for environments where symlinks are supported
• This is technically a breaking change for code relying on the previous behavior - worth noting in the changelog

Overall LGTM 👍

Updated this PR to address the two follow-up notes.

Changes:

• Documented that execute_code resolves filenames against work_dir and rejects path traversal, absolute paths, and symlink escapes that point outside work_dir.
• Added a changelog note calling out the compatibility impact for callers that previously relied on files outside the configured working directory.

Local verification:

• PYTHONPATH=packages/dbgpt-core/src .venv/bin/python -m pytest packages/dbgpt-core/src/dbgpt/util/tests/test_code_utils.py -q
• .venv/bin/python -m ruff check packages/dbgpt-core/src/dbgpt/util/code_utils.py packages/dbgpt-core/src/dbgpt/util/tests/test_code_utils.py
• .venv/bin/python -m ruff format --check packages/dbgpt-core/src/dbgpt/util/code_utils.py packages/dbgpt-core/src/dbgpt/util/tests/test_code_utils.py
• .venv/bin/python -m compileall -q packages/dbgpt-core/src/dbgpt/util/code_utils.py packages/dbgpt-core/src/dbgpt/util/tests/test_code_utils.py
• git diff --check

All local checks passed.

One note on the current GitHub build failure: the failing make fmt-check is reporting formatting changes needed in packages/dbgpt-core/src/dbgpt/agent/util/react_parser.py and packages/dbgpt-core/src/dbgpt/agent/util/tests/test_react_parser.py, which are not touched by this PR. The changed files in this PR pass local formatting checks.