Skip to content

Harden skill loader with canonical path validation #307

@bug-ops

Description

@bug-ops

Context

Security audit (2026-02-15) identified TOCTOU race in zeph-skills/src/loader.rs:142-206. Skill files are read without verifying canonical paths, allowing potential symlink-based path traversal.

Severity

Low — requires local filesystem access; skills directory is agent-controlled.

Proposed fix

pub fn load_skill_meta(path: &Path) -> Result<SkillMeta, SkillError> {
    let canonical = path.canonicalize()
        .map_err(|e| SkillError::Other(format!("invalid path: {e}")))?;
    if !canonical.starts_with(expected_skills_dir) {
        return Err(SkillError::Invalid("path traversal attempt".into()));
    }
    let content = std::fs::read_to_string(&canonical)?;
    // ...
}

Acceptance criteria

  • Skill loader canonicalizes paths before reading
  • Path traversal via symlinks is rejected
  • Unit test covers symlink rejection

Metadata

Metadata

Assignees

No one assigned

    Labels

    M14M14: Security HardeningsecuritySecurity hardeningskillsSKILL.md system

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions