opencode icon indicating copy to clipboard operation
opencode copied to clipboard
Published 2 days ago verified publisher icon anomalyco

fix: prevent symlink escape in Filesystem.contains

Open jayhemnani9910 opened this issue 3 weeks ago • 0 comments

The Filesystem.contains() function previously performed only lexical path checking, which could be bypassed using symlinks inside the project directory. An attacker could create a symlink pointing to sensitive files outside the project (e.g., ~/.ssh/id_rsa), and the file tools would allow reading them.

This fix:

  • Uses realpathSync to resolve symlinks before checking containment
  • Falls back to lexical check if realpath fails (e.g., file doesn't exist)
  • Adds explicit handling for Windows cross-drive paths (D:\ vs C:)
  • Removes the TODO comments that documented this issue

jayhemnani9910 avatar Dec 29 '25 22:12 jayhemnani9910