.rooignore Ineffective for Directory Context, Exposing Sensitive Data

[alexauvray]

App Version

3.16.6

API Provider

OpenRouter

Model Used

Claude 3.7 Sonnet

🔁 Steps to Reproduce

Description:
When a directory is provided as context, .rooignore is bypassed, and sensitive files (e.g., .env) listed in .rooignore are still processed, leading to unintended exposure of sensitive data in responses. This undermines the purpose of .rooignore and forces manual exclusion of sensitive files, creating a security risk and workflow inefficiency.

Example:
.rooignore contents:

.env
.env.dev
.env.dist
.env.production
node_modules/
.git
dist/

When providing the directory as context, the response included sensitive .env data and concluded with:

Problem:
The .rooignore file is rendered ineffective when a directory is used as context, negating its role in protecting sensitive files. Manually curating context to exclude ignored files defeats the purpose of .rooignore and increases the risk of errors.

Expected Behavior:
Files and directories specified in .rooignore should be automatically excluded from processing when a directory is provided as context, ensuring sensitive data is not exposed.

Steps to Reproduce:

1. Create a .rooignore file listing .env and other sensitive files/directories.
2. Include a directory containing .env in the context.
3. Observe that sensitive .env data is included in the response despite being listed in .rooignore.

Impact:

• Security: Exposure of sensitive data (e.g., API keys, credentials).
• Usability: Manual exclusion of files undermines .rooignore functionality, increasing complexity.

Suggested Fix:

• Enforce .rooignore rules during directory context processing to exclude listed files/directories.
• Add validation or warnings if ignored files are detected in the context.

[dosubot]

Hello @alexauvray! I'm here to help you with any bugs, questions, or contributions you might have. While you wait for a human maintainer, feel free to share more about your issue, and I'll do my best to assist you!

The issue you're experiencing with .rooignore not effectively excluding files when a directory is provided as context in Roo Code version 3.16.6 is acknowledged in the documentation. The .rooignore file is intended to automatically exclude specified files and directories from processing, but it seems there might be a limitation or bug affecting this functionality in your case ^[1][2].

The expected behavior is that files listed in .rooignore should be hidden or marked with a lock symbol when showRooIgnoredFiles is enabled, and attempts to read these files should result in an error message indicating access denial due to .rooignore rules ^[1]. However, if this is not happening, it suggests a potential issue with the current implementation.

Unfortunately, I couldn't find specific troubleshooting steps or known bugs related to this issue in the documentation ^[2]. It might be beneficial to check for any open issues or updates in the repository that address this problem. Additionally, considering the impact on security and usability, it would be advisable to manually exclude sensitive files from context until a fix is implemented.

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other}

[mrubens]

I agree, we should change how this works when adding manually adding directories to the context. I think it makes sense to allow explicit adding of .rooignored files to the context, but not when adding directories.

[xyOz-dev]

#4075

[daniel-lxs]

Hey @alexauvray,

Please let us know if this is fixed for you since we merged a PR for this recently: #4075