Security: Add TOCTOU symlink checks in repair method

[Pedrovaleriolopez]

Context

Follow-up from PR #56 (Story 6.19 - Post-install validator security hardening).

Issue

The repair() method in src/installer/post-install-validator.js currently checks isPathContained but misses TOCTOU (Time-of-check to time-of-use) symlink checks on the target path.

Required Fix

Before performing fs.copy in the repair method:

1. Iterate path components of targetPath (or walk from this.aiosCoreTarget to path.dirname(targetPath))
2. lstat each component to reject any symbolic links
3. Resolve fs.realpathSync(targetPath) and fs.realpathSync(this.aiosCoreTarget)
4. Ensure the resolved target path remains contained within the resolved aiosCoreTarget
5. If any symlink or realpath containment failure is detected, push a skipped/failed result and continue

Risk Assessment

• Severity: Low (edge case race condition)
• Attack vector: Requires local filesystem access during repair window
• Mitigation: Core validation path already has symlink protection

References

• PR Add security hardening for post-install validator with Ed25519 manifest signature verification #56 CodeRabbit review comment
• CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition

Labels

security, enhancement, good-first-issue

[oalanicolas]

✅ Fixed in commit 5b1a47c

Changes:

• Added TOCTOU symlink detection in repair() method
• Walks each path component before copy operation
• Final realpath verification as defense-in-depth
• Tests passing (39/39)

[github-actions]

🎉 This issue has been resolved in version 4.0.0 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀