Skip to content

fix(security): allow symlink creation, check path escape only during …#381

Merged
max-lvs merged 1 commit intolinuxdeepin:release/eaglefrom
LiHua000:release/eagle
Apr 11, 2026
Merged

fix(security): allow symlink creation, check path escape only during …#381
max-lvs merged 1 commit intolinuxdeepin:release/eaglefrom
LiHua000:release/eagle

Conversation

@LiHua000
Copy link
Copy Markdown
Contributor

@LiHua000 LiHua000 commented Apr 10, 2026

…file writes

  • Remove strict validation during symlink creation to allow legitimate symlinks to system paths
  • Keep path validation during file writes using canonicalFilePath() to resolve symbolic links
  • Remove symlinkTargetIsWithinTarget function to simplify security check logic
  • Fix over-blocking issue while preventing Zip Slip attacks

Before fix: lib.so -> /usr/lib/xxx was incorrectly rejected
After fix: Symlink creation succeeds, writing to system files via symlinks is blocke

Bug:https://pms.uniontech.com/bug-view-356233.html

@LiHua000
fix(security): allow symlink creation, check path escape only during …
a27893c 
…file writes

- Remove strict validation during symlink creation to allow legitimate symlinks to system paths
- Keep path validation during file writes using canonicalFilePath() to resolve symbolic links
- Remove symlinkTargetIsWithinTarget function to simplify security check logic
- Fix over-blocking issue while preventing Zip Slip attacks

Before fix: lib.so -> /usr/lib/xxx was incorrectly rejected
After fix: Symlink creation succeeds, writing to system files via symlinks is blocke

Bug:https://pms.uniontech.com/bug-view-356233.html
sourcery-ai[bot]
sourcery-ai bot reviewed Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry @LiHua000, you have reached your weekly rate limit of 500000 diff characters.

Please try again later or upgrade to continue using Sourcery

@deepin-ci-robot
Copy link
Copy Markdown

deepin-ci-robot commented Apr 11, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: LiHua000, max-lvs

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@LiHua000
Copy link
Copy Markdown
Contributor Author

LiHua000 commented Apr 11, 2026

/merge

@max-lvs max-lvs merged commit ec33867 into linuxdeepin:release/eagle Apr 11, 2026
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

@max-lvs max-lvs max-lvs approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@LiHua000 @deepin-ci-robot @max-lvs