Harden skill loader with canonical path validation #307
Description
Context
Security audit (2026-02-15) identified TOCTOU race in zeph-skills/src/loader.rs:142-206. Skill files are read without verifying canonical paths, allowing potential symlink-based path traversal.
Severity
Low — requires local filesystem access; skills directory is agent-controlled.
Proposed fix
pub fn load_skill_meta(path: &Path) -> Result<SkillMeta, SkillError> {
let canonical = path.canonicalize()
.map_err(|e| SkillError::Other(format!("invalid path: {e}")))?;
if !canonical.starts_with(expected_skills_dir) {
return Err(SkillError::Invalid("path traversal attempt".into()));
}
let content = std::fs::read_to_string(&canonical)?;
// ...
}Acceptance criteria
- Skill loader canonicalizes paths before reading
- Path traversal via symlinks is rejected
- Unit test covers symlink rejection