Skip to content

Audit file open, stream, and directory creation policy for bounds, sharing, and permissions #4078

Open
#4090
Open
Audit file open, stream, and directory creation policy for bounds, sharing, and permissions#4078
#4090
Labels
.NETPull requests that update .NET codecodexenhancementNew feature or requestperformancesecurity

Description

@Widthdom
Widthdom
opened on Jun 27, 2026

Summary

Dogfood review found a broad set of file open/stream/directory creation sites. This complements destructive filesystem work in #4076: the focus here is non-destructive I/O policy, including sharing modes, size bounds, permissions, atomic write setup, log/audit files, lock files, and raw byte loading.

Evidence

Known dogfood findings from the previous pass:

dotnet ./src/CodeIndex/bin/Debug/net8.0/cdidx.dll search File.Open --path src/ --exclude-tests --exact-substring --count-by file --limit 120

dotnet ./src/CodeIndex/bin/Debug/net8.0/cdidx.dll search FileStream --path src/ --exclude-tests --exact-substring --count-by file --limit 120

dotnet ./src/CodeIndex/bin/Debug/net8.0/cdidx.dll search Directory.CreateDirectory --path src/ --exclude-tests --exact-substring --count-by file --limit 120

Findings:

  • File.Open: 18 hits across 11 production files.
    • Top areas include ExportImportCommandRunner, ProgramRunner, MetricsSink, AuditLogSink, BoundedLineReader, DataDirectorySecurity, GlobalToolLog, ReportCommandRunner, SearchAuditRecipes, FileIndexer, and LspServer.
  • FileStream: 23 hits across 20 production files.
    • Top areas include raw byte loading, SuggestionStore, BoundedFile, AtomicFileWriter, BoundedHttpContentReader, security/log/lock helpers, plugin pattern config, checksum, path aliases, and MCP index lock.
  • Directory.CreateDirectory: 15 hits across 11 production files.
    • Top areas include export/import, data-directory security, program runner, global log, hooks, full scan, lock creation, reporting, case-sensitivity probe, and MCP index lock.

Audit goals

  • Verify file opens use deliberate FileMode, FileAccess, FileShare, and async options.
  • Verify large or user-influenced reads use bounded readers or explicit byte/line caps.
  • Verify directories that hold DBs, logs, hooks, locks, temp files, or reports get correct permissions and ownership checks.
  • Verify lock/log/audit files handle stale files, concurrent writers, and permission failures consistently.
  • Verify atomic-write setup is aligned with Audit destructive filesystem operations and atomic replace/delete policy #4076's replace/delete policy.

Acceptance criteria

  • Classify file open/stream/create sites by domain: DB/data dir, logs/audit, import/export/report, locks, raw bytes, plugin/hook config, MCP/LSP, metrics.
  • Add or confirm size bounds and sharing policy for user/workspace-controlled files.
  • Add tests for any changed permissions, sharing, or bounded-read behavior.
  • Keep destructive delete/move/replace behavior tracked in Audit destructive filesystem operations and atomic replace/delete policy #4076.

Metadata

Metadata

Assignees

No one assigned

    Labels

    .NETPull requests that update .NET codecodexenhancementNew feature or requestperformancesecurity

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions