opencode icon indicating copy to clipboard operation
opencode copied to clipboard
Published 5 hours ago verified publisher icon anomalyco

Path traversal vulnerability via symlinks and cross-drive paths

Open mluckydream opened this issue 17 hours ago • 1 comments

Description

Problem

The Filesystem.contains() function uses lexical path checking only, which allows:

  • Symlink escape attacks
  • Cross-drive path bypass on Windows

See TODO comments in src/file/index.ts:280-281 and 340-341

Solution

Use realpathSync() to resolve symlinks and validate drive letters on Windows.

Plugins

No response

OpenCode version

No response

Steps to reproduce

No response

Screenshot and/or share link

No response

Operating System

No response

Terminal

No response

mluckydream avatar Jan 14 '26 00:01 mluckydream