Skip to content

Comments

fix(opencode): prevent cross-drive path bypass in Filesystem.contains on Windows#14581

Open
Nicoo01x wants to merge 1 commit intoanomalyco:devfrom
Nicoo01x:fix/windows-cross-drive-path-bypass
Open

fix(opencode): prevent cross-drive path bypass in Filesystem.contains on Windows#14581
Nicoo01x wants to merge 1 commit intoanomalyco:devfrom
Nicoo01x:fix/windows-cross-drive-path-bypass

Conversation

@Nicoo01x
Copy link

@Nicoo01x Nicoo01x commented Feb 21, 2026

Issue for this PR

Closes #14579

Type of change

  • Bug fix
  • New feature
  • Refactor / code improvement
  • Documentation

What does this PR do?

Filesystem.contains() uses path.relative(parent, child).startsWith("..") to check if a child path is inside a parent directory. On Windows, when the paths are on different drive letters, path.relative() returns the absolute child path instead of a ..-prefixed relative path:

path.relative("D:\project", "C:\evil\file.txt")
// Returns: "C:\evil\file.txt"  (no ".." prefix!)

This means contains() incorrectly returns true, allowing File.read() and File.list() to access files on any drive.

The fix adds a drive letter comparison before the path.relative() call. This is simpler than realpathSync-based approaches (like #8316) because it doesn't depend on the target file existing and has no fallback path that reintroduces the bug.

How did you verify your code works?

  1. Wrote a reproduction script confirming Filesystem.contains("D:\project", "C:\evil\file.txt") returns true (bug) on Windows
  2. After the fix, same call returns false
  3. Ran existing test suite: bun test test/file/path-traversal.test.ts — 19/19 pass
  4. Ran bun test test/util/filesystem.test.ts — 38/38 pass
  5. Added 4 new Windows-specific tests covering: cross-drive block, same-drive allow, case-insensitive drive letters, forward slash variant

Screenshots / recordings

N/A — not a UI change.

Checklist

  • I have tested my changes locally
  • I have not included unrelated changes in this PR

… on Windows

On Windows, path.relative() across different drive letters returns the
absolute child path instead of a ".." prefixed relative path, causing
Filesystem.contains() to incorrectly report that a path on a different
drive is inside the project directory.

Add a drive letter comparison guard before the path.relative() check.
Remove resolved TODO comments from file/index.ts.
Add Windows-specific tests for cross-drive, same-drive, and
case-insensitive drive letter scenarios.

Closes anomalyco#14579
@github-actions github-actions bot added the needs:compliance This means the issue will auto-close after 2 hours. label Feb 21, 2026
@github-actions
Copy link
Contributor

The following comment was made by an LLM, it may be inaccurate:

Based on the search results, I found the following potentially related PRs (excluding the current PR #14581):

Potential Duplicates/Related PRs:

  1. fix: prevent path traversal via symlinks and cross-drive paths #8316 - "fix: prevent path traversal via symlinks and cross-drive paths"

    • This PR appears to address the same cross-drive path issue and may have already implemented a fix for this vulnerability.
  2. fix: prevent symlink escape in Filesystem.contains #6403 - "fix: prevent symlink escape in Filesystem.contains"

    • Related security fix for the same Filesystem.contains() method, though focused on symlink escapes.
  3. fix(win32): path handling #11897 - "fix(win32): path handling"

    • General Windows path handling fixes that may be relevant to this issue.

Recommendation: Check PR #8316 first, as it explicitly mentions preventing both symlinks AND cross-drive paths - this may be a prior fix that's being re-addressed, or it may have been incomplete/reverted.

@github-actions github-actions bot removed the needs:compliance This means the issue will auto-close after 2 hours. label Feb 21, 2026
@github-actions
Copy link
Contributor

Thanks for updating your PR! It now meets our contributing guidelines. 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

fix: Filesystem.contains cross-drive path bypass on Windows

1 participant