Summary
A vulnerability was identified where .rooignore protections could be bypassed using symlinks. This allowed an attacker with write access to the workspace to trick the extension into reading files that were intended to be excluded. As a result, sensitive files such as .env or configuration files could be exposed.
Impact
An attacker able to modify files within the workspace could gain unauthorized access to sensitive information by bypassing .rooignore rules. This could include secrets, configuration details, or other excluded project data.
Remediation
We now validate .rooignore rules both before and after following symlinks, preventing this type of bypass.
thelicato Reporter
Summary
A vulnerability was identified where .rooignore protections could be bypassed using symlinks. This allowed an attacker with write access to the workspace to trick the extension into reading files that were intended to be excluded. As a result, sensitive files such as .env or configuration files could be exposed.
Impact
An attacker able to modify files within the workspace could gain unauthorized access to sensitive information by bypassing .rooignore rules. This could include secrets, configuration details, or other excluded project data.
Remediation
We now validate .rooignore rules both before and after following symlinks, preventing this type of bypass.