opencode icon indicating copy to clipboard operation
opencode copied to clipboard
Published 6 hours ago verified publisher icon anomalyco

fix: prevent path traversal via symlinks and cross-drive paths

Open mluckydream opened this issue 2 days ago • 1 comments

Fixes #8313

Summary

Enhanced Filesystem.contains() to prevent directory escape attacks via symlinks and cross-drive paths on Windows.

Changes

  • src/util/filesystem.ts: Enhanced contains() function
    • Use realpathSync() to resolve symlinks to canonical paths
    • Add Windows cross-drive validation (check drive letters match)
    • Fallback to lexical check if path doesn't exist
  • src/file/index.ts: Removed resolved TODO comments (4 lines)

Security Improvements

Prevents symlink escape attacks Prevents Windows cross-drive path bypass Maintains backward compatibility

Testing

Tested on macOS (darwin-arm64):

  • Created symlink pointing outside project directory
  • Verified contains() correctly rejects escaped paths
  • Verified normal paths still work correctly

Test scenario

# Create test symlink
ln -s /etc/passwd ./packages/opencode/test-symlink

# Verify it's rejected by containsPath()
# Expected: Access denied error

mluckydream avatar Jan 14 '26 01:01 mluckydream