-
Notifications
You must be signed in to change notification settings - Fork 54
Expand file tree
/
Copy pathcommit.txt
More file actions
19 lines (16 loc) · 1.11 KB
/
commit.txt
File metadata and controls
19 lines (16 loc) · 1.11 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
fix: harden path sandboxing with symlink protection, safe defaults, and sensitive file guards
- Add `Filesystem.containsReal()` with `realpathSync` to prevent symlink escape attacks
(same class of bug as Codex GHSA-w5fx-fh39-j5rw and Claude Code CVE-2025-54794)
- Add `isAbsolute(rel)` check to `Filesystem.contains()` for Windows cross-drive bypass
- Update `Instance.containsPath()` to use symlink-aware `containsReal()`
- Add safe permission defaults: deny `rm -rf`, `git push --force`, `git reset --hard`,
`DROP DATABASE`, `TRUNCATE` out of the box
- Add `Protected.isSensitiveWrite()` to detect writes to `.git/`, `.ssh/`, `.aws/`,
`.env*`, credential files even inside the project boundary
- Add `assertSensitiveWrite()` guard to write, edit, and apply_patch tools
- Remove resolved TODO comments from `file/index.ts`
- Update SECURITY.md, permissions docs, and security FAQ with practical guidance
- Add 94 tests including 62 e2e tests covering symlink attacks, path traversal,
sensitive file detection, and combined attack scenarios
Closes #202
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>