🛡️ Sentinel: [CRITICAL] Fix unsafe path handling (#417)

acebytes · google-labs-jules[bot] · web-flow · commit 6f62c0ebb74b · 2026-06-20T20:59:04.000-07:00
Fixed insecure path handling in `StatusSocket.swift` where POSIX file APIs (`open()`) were called with raw path variables, leading to unsafe filesystem representations. Replaced raw POSIX calls with safe C-string pointer wrappers (`URL(fileURLWithPath:).withUnsafeFileSystemRepresentation`) to securely bridge file paths.

Co-authored-by: google-labs-jules[bot] &lt;161369871+google-labs-jules[bot]@users.noreply.github.com&gt;
Co-authored-by: acebytes &lt;2820910+acebytes@users.noreply.github.com&gt;
diff --git a/.jules/sentinel.md b/.jules/sentinel.md
@@ -138,3 +138,8 @@ grep -nE "O_NOFOLLOW|O_CLOEXEC|fchmod|withUnsafeFileSystemRepresentation" <candi
 **Vulnerability:** Insecure file creation due to missing O_NOFOLLOW flag.
 **Learning:** Using `open()` with `O_CREAT` but without `O_NOFOLLOW` and `O_EXCL` allows an attacker to conduct a TOCTOU symlink attack to truncate or overwrite unintended target files.
 **Prevention:** Always combine `O_CREAT` with `O_NOFOLLOW` when creating files, and prefer explicit octal permissions like `0o600` over bitmasks.
+
+## 2024-06-20 - Unsafe Path Bridging in StatusSocket
+**Vulnerability:** Calling `open(2)` with raw Swift `String` paths in `StatusSocket.swift` creates an unsafe filesystem representation.
+**Learning:** Passing Swift `String` paths implicitly to C functions can result in memory issues or incorrect path resolution if the string is not null-terminated or is moved in memory.
+**Prevention:** Always use `URL(fileURLWithPath:).withUnsafeFileSystemRepresentation` to obtain the correct C-string pointer when bridging file paths to POSIX APIs.
diff --git a/Sources/Cacheout/Headless/StatusSocket.swift b/Sources/Cacheout/Headless/StatusSocket.swift
@@ -111,7 +111,10 @@ public final class StatusSocket: @unchecked Sendable {
         try FileManager.default.createDirectory(atPath: dir, withIntermediateDirectories: true, attributes: [
             .posixPermissions: 0o700
         ])
-        let dirFd = open(dir, O_RDONLY | O_NOFOLLOW | O_DIRECTORY | O_CLOEXEC)
+        let dirFd = URL(fileURLWithPath: dir).withUnsafeFileSystemRepresentation { pathPtr -> Int32 in
+            guard let pathPtr = pathPtr else { return -1 }
+            return open(pathPtr, O_RDONLY | O_NOFOLLOW | O_DIRECTORY | O_CLOEXEC)
+        }
         guard dirFd >= 0 else {
             throw StatusSocketError.directoryHardeningFailed(errno)
         }
@@ -497,7 +500,10 @@ public final class StatusSocket: @unchecked Sendable {
         // component is rejected up front and we hold a stable fd for the rest
         // of the checks — no path resolution happens between type/size check
         // and read, closing the lstat → open TOCTOU window.
-        let fileFd = open(expandedPath, O_RDONLY | O_NOFOLLOW | O_CLOEXEC)
+        let fileFd = URL(fileURLWithPath: expandedPath).withUnsafeFileSystemRepresentation { pathPtr -> Int32 in
+            guard let pathPtr = pathPtr else { return -1 }
+            return open(pathPtr, O_RDONLY | O_NOFOLLOW | O_CLOEXEC)
+        }
         guard fileFd >= 0 else {
             let err = errno
             let reason = err == ELOOP ? "Refusing to follow symlink: \(expandedPath)"
