Skip to content

fix(security): prevent path traversal via symlinks #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Ashwinhegde19 merged 2 commits into from
Jan 15, 2026
Merged

fix(security): prevent path traversal via symlinks #1

Ashwinhegde19 merged 2 commits into from
Jan 15, 2026

Conversation

@google-labs-jules
Copy link

@google-labs-jules google-labs-jules bot commented Jan 15, 2026

Summary

This PR fixes a critical security vulnerability that allowed directory traversal via symbolic links. The File.read and File.list tools previously relied on lexical path validation (path.relative), which could be bypassed by creating a symlink inside the project pointing to an external file or directory.

What was broken

  • File.read allowed reading files outside the project if accessed via a symlink.
  • File.list allowed listing directories outside the project if accessed via a symlink.
  • Instance.containsPath (lexical check) returned true for these symlinks because it did not resolve them.

Fix approach

  • In packages/opencode/src/file/index.ts:
    • Update File.read to resolve the path using fs.promises.realpath after confirming existence but before reading content.
    • Update File.list to resolve the path using fs.promises.realpath before listing content.
    • Verify that the resolved real path is contained within the project directory using Instance.containsPath.

Verification

  • Added a new test case packages/opencode/test/security/symlink.test.ts that:
    1. Creates a secret file outside the project.
    2. Creates a symlink to it inside the project.
    3. Attempts to read the symlink using File.read.
    4. Asserts that the operation fails with "Access denied".
  • Ran the test and confirmed it passes (access is denied).
  • Verified that valid operations still work.

Checklist

  • Fix implemented in File.read and File.list
  • Regression test added
  • Verified fix with test

PR created automatically by Jules for task 9454945919874623948 started by @Ashwinhegde19

@google-labs-jules
fix(security): prevent path traversal via symlinks in File.read and F…
d312b4b 
…ile.list

Resolves a critical vulnerability where symlinks could be used to access files outside the project directory.
Implemented `fs.promises.realpath` validation to ensure the actual target path is within the allowed scope.
Added regression test in `packages/opencode/test/security/symlink.test.ts`.
@google-labs-jules
Copy link
Author

google-labs-jules bot commented Jan 15, 2026

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

@github-actions
Copy link

github-actions bot commented Jan 15, 2026

Thanks for your contribution!

This PR doesn't have a linked issue. All PRs must reference an existing issue.

Please:

  1. Open an issue describing the bug/feature (if one doesn't exist)
  2. Add Fixes #<number> or Closes #<number> to this PR description

See CONTRIBUTING.md for details.

@google-labs-jules
fix(security): prevent path traversal via symlinks in File.read and F…
0f1ca0a 
…ile.list

Resolves a critical vulnerability where symlinks could be used to access files outside the project directory.
Implemented `fs.promises.realpath` validation to ensure the actual target path is within the allowed scope.
Added regression test in `packages/opencode/test/security/symlink.test.ts`.

Fixes anomalyco#101
@Ashwinhegde19 Ashwinhegde19 marked this pull request as ready for review January 15, 2026 19:56
@Ashwinhegde19 Ashwinhegde19 merged commit 1a3d48d into dev Jan 15, 2026
1 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

needs:issue

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Ashwinhegde19