Description
Credential and state writers (FSUtil.writeJson, Filesystem.write used for auth/MCP/plugin stores) open the target path with normal write APIs. If auth.json (or similar) is replaced by a symlink, writes follow the link and can overwrite an attacker-chosen file (or plant secrets outside the intended store).
Expected
Refuse to write through an existing symlink for credential/state JSON writers; leave the link target untouched.
Actual
writeFile / writeFileString follow symlinks and write the target.
Description
Credential and state writers (
FSUtil.writeJson,Filesystem.writeused for auth/MCP/plugin stores) open the target path with normal write APIs. Ifauth.json(or similar) is replaced by a symlink, writes follow the link and can overwrite an attacker-chosen file (or plant secrets outside the intended store).Expected
Refuse to write through an existing symlink for credential/state JSON writers; leave the link target untouched.
Actual
writeFile/writeFileStringfollow symlinks and write the target.