Skip to content

fix(fs): refuse credential writes through symlinks#36360

Open
1837620622 wants to merge 1 commit into
anomalyco:devfrom
1837620622:fix/refuse-symlink-credential-writes
Open

fix(fs): refuse credential writes through symlinks#36360
1837620622 wants to merge 1 commit into
anomalyco:devfrom
1837620622:fix/refuse-symlink-credential-writes

Conversation

@1837620622

@1837620622 1837620622 commented Jul 11, 2026

Copy link
Copy Markdown

Issue for this PR

Closes #36367

Type of change

  • Bug fix
  • New feature
  • Refactor / code improvement
  • Documentation

What does this PR do?

Credential/state writers (FSUtil.writeJson, Filesystem.write) followed existing symlinks, so a replaced auth.json (or similar) could redirect writes outside the intended store.

Refuse writes through an existing symlink; leave the link target untouched. Regression test for Filesystem.write.

How did you verify your code works?

  • Added filesystem.test.ts case: write through symlink is rejected and target content unchanged
  • Auth/MCP paths use FSUtil.writeJson which now has the same guard

Screenshots / recordings

N/A — non-UI

Checklist

  • I have tested my changes locally
  • I have not included unrelated changes in this PR

auth.json and other JSON state writers use Filesystem.write /
FSUtil.writeJson, which followed existing symlinks via writeFile.
A planted symlink under the data directory could redirect secrets
to an attacker-controlled path.

Minimal fix:
- lstat before write; throw if the path is a symlink
- same guard in core FSUtil.writeJson (Auth/McpAuth paths)
- regression test for Filesystem.write
@github-actions

Copy link
Copy Markdown
Contributor

Thanks for your contribution!

This PR doesn't have a linked issue. All PRs must reference an existing issue.

Please:

  1. Open an issue describing the bug/feature (if one doesn't exist)
  2. Add Fixes #<number> or Closes #<number> to this PR description

See CONTRIBUTING.md for details.

@github-actions github-actions Bot added the needs:compliance This means the issue will auto-close after 2 hours. label Jul 11, 2026
@github-actions

Copy link
Copy Markdown
Contributor

The following comment was made by an LLM, it may be inaccurate:

Based on my search, I found one potentially related PR but it's not a duplicate:

PR #28532: fix(filesystem): resolve symlink/junction targets to directory type in readDirectoryEntries

  • Related to symlink handling in the filesystem module, but addresses reading directory entries, not preventing writes through symlinks

The other results either matched the current PR (#36360) itself or were unrelated to the symlink write security issue.

No duplicate PRs found

@1837620622

Copy link
Copy Markdown
Author

Ready for review — minimal security hardening for credential JSON writers (auth/MCP). Happy to iterate. — @1837620622

@github-actions github-actions Bot removed needs:issue needs:compliance This means the issue will auto-close after 2 hours. labels Jul 11, 2026
@github-actions

Copy link
Copy Markdown
Contributor

Thanks for updating your PR! It now meets our contributing guidelines. 👍

@1837620622

Copy link
Copy Markdown
Author

Review ping 🙏

Refuse credential/state writes through symlinks (lstat before write). Covers Filesystem.write + FSUtil.writeJson. Test included; checks green.

@1837620622

CreatorGhost added a commit to CreatorGhost/TheCode that referenced this pull request Jul 11, 2026
Addresses CodeRabbit TOCTOU finding on the anomalyco#36360 port: the leaf symlink
check now happens at open time via O_NOFOLLOW (lstat retained as the
Windows fallback). Symlinked parent directories remain allowed by design
for dotfile-manager setups.
CreatorGhost added a commit to CreatorGhost/TheCode that referenced this pull request Jul 11, 2026
* fix(fs): refuse credential writes through symlinks

Ported from upstream anomalyco#36360.

* fix(fs): bind symlink refusal to O_NOFOLLOW descriptor writes

Addresses CodeRabbit TOCTOU finding on the anomalyco#36360 port: the leaf symlink
check now happens at open time via O_NOFOLLOW (lstat retained as the
Windows fallback). Symlinked parent directories remain allowed by design
for dotfile-manager setups.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

fix(security): credential writers follow existing symlinks for auth.json / JSON stores

1 participant