Skip to content

fix: prevent path traversal via symlinks and cross-drive paths #8316

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mluckydream wants to merge 2 commits into
base: dev
Choose a base branch
from
Open

fix: prevent path traversal via symlinks and cross-drive paths #8316

mluckydream wants to merge 2 commits into from

Conversation

@mluckydream
Copy link

@mluckydream mluckydream commented Jan 14, 2026

Fixes #8313

Summary

Enhanced Filesystem.contains() to prevent directory escape attacks via symlinks and cross-drive paths on Windows.

Changes

  • src/util/filesystem.ts: Enhanced contains() function
    • Use realpathSync() to resolve symlinks to canonical paths
    • Add Windows cross-drive validation (check drive letters match)
    • Fallback to lexical check if path doesn't exist
  • src/file/index.ts: Removed resolved TODO comments (4 lines)

Security Improvements

Prevents symlink escape attacks
Prevents Windows cross-drive path bypass
Maintains backward compatibility

Testing

Tested on macOS (darwin-arm64):

  • Created symlink pointing outside project directory
  • Verified contains() correctly rejects escaped paths
  • Verified normal paths still work correctly

Test scenario

# Create test symlink
ln -s /etc/passwd ./packages/opencode/test-symlink

# Verify it's rejected by containsPath()
# Expected: Access denied error

@github-actions
Copy link
Contributor

github-actions bot commented Jan 14, 2026

The following comment was made by an LLM, it may be inaccurate:

Based on my search, I found several related PRs that address similar security concerns with symlinks and filesystem containment checks. However, none of these are duplicates of PR #8316. Here are the related PRs:

Previously merged/closed security improvements:

  1. PR fix: prevent symlink escape in Filesystem.contains #6403 - "fix: prevent symlink escape in Filesystem.contains"

    • Earlier attempt to address symlink escape vulnerabilities in the same Filesystem.contains() function

  2. PR fix: Harden filesystem contains checks #7449 - "fix: Harden filesystem contains checks"

    • Another hardening effort for filesystem containment validation

  3. PR fix: address external_directory gaps and improve symlink checks #7515 - "fix: address external_directory gaps and improve symlink checks"

    • Broader symlink check improvements alongside external_directory fixes

These PRs appear to be earlier iterations or related security work on the same vulnerability area, but PR #8316 represents a more comprehensive fix addressing both symlinks AND Windows cross-drive path traversal attacks.

No open duplicate PRs found - PR #8316 is the current attempt to address issue #8313 with enhanced protections.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Path traversal vulnerability via symlinks and cross-drive paths

1 participant

@mluckydream