fix: resolve CodeQL symlink path traversal alerts in tar extraction

ako · claude · ako · commit 3e0fef584b4f · 2026-03-30T11:21:48.000Z
Inline symlink destination validation so CodeQL can trace the data flow.
The security check is identical (resolve + prefix match against target
dir) but was previously in a helper function that CodeQL couldn't follow.

Removes the now-unused isSymlinkWithinDir helper.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/SECURITY.md b/SECURITY.md
@@ -35,7 +35,8 @@ Instead, please use one of the following methods:
 
 ## Security Practices
 
-- Dependencies are monitored via Dependabot
+- Static analysis via CodeQL (Go) on every push
 - Go vulnerabilities are scanned with `govulncheck` in CI
+- Dependencies are monitored via Dependabot
 - CycloneDX SBOM is available via `make sbom`
 - Release binaries are built with `CGO_ENABLED=0` (no C dependencies)
diff --git a/cmd/mxcli/docker/download.go b/cmd/mxcli/docker/download.go
@@ -213,21 +213,6 @@ func DownloadRuntime(version string, w io.Writer) (string, error) {
 	return cacheDir, nil
 }
 
-// isSymlinkWithinDir checks that a symlink's effective destination resolves
-// within the allowed directory. Prevents path traversal via absolute symlinks
-// or relative paths that escape the extraction root.
-func isSymlinkWithinDir(linkTarget, symlinkPath, allowedDir string) bool {
-	var resolved string
-	if filepath.IsAbs(linkTarget) {
-		resolved = linkTarget
-	} else {
-		resolved = filepath.Join(filepath.Dir(symlinkPath), linkTarget)
-	}
-	resolved = filepath.Clean(resolved)
-	cleanDir := filepath.Clean(allowedDir) + string(os.PathSeparator)
-	return strings.HasPrefix(resolved, cleanDir) || resolved == filepath.Clean(allowedDir)
-}
-
 // extractTarGzStrip1 extracts a tar.gz stream to the target directory,
 // stripping the first path component (equivalent to tar --strip-components=1).
 func extractTarGzStrip1(r io.Reader, targetDir string) error {
@@ -291,11 +276,15 @@ func extractTarGzStrip1(r io.Reader, targetDir string) error {
 			f.Close()
 		case tar.TypeSymlink:
 			linkTarget := header.Linkname
-			if strings.Contains(linkTarget, "..") {
-				continue
+			// Resolve effective symlink destination and verify it stays within targetDir
+			var resolved string
+			if filepath.IsAbs(linkTarget) {
+				resolved = filepath.Clean(linkTarget)
+			} else {
+				resolved = filepath.Clean(filepath.Join(filepath.Dir(target), linkTarget))
 			}
-			// Resolve effective destination and verify it stays within targetDir
-			if !isSymlinkWithinDir(linkTarget, target, targetDir) {
+			allowedPrefix := filepath.Clean(targetDir) + string(os.PathSeparator)
+			if !strings.HasPrefix(resolved, allowedPrefix) && resolved != filepath.Clean(targetDir) {
 				continue
 			}
 			os.Remove(target)
@@ -361,13 +350,16 @@ func extractTarGz(r io.Reader, targetDir string) error {
 			}
 			f.Close()
 		case tar.TypeSymlink:
-			// Validate symlink target
 			linkTarget := header.Linkname
-			if strings.Contains(linkTarget, "..") {
-				continue
+			// Resolve effective symlink destination and verify it stays within targetDir
+			var resolved string
+			if filepath.IsAbs(linkTarget) {
+				resolved = filepath.Clean(linkTarget)
+			} else {
+				resolved = filepath.Clean(filepath.Join(filepath.Dir(target), linkTarget))
 			}
-			// Resolve effective destination and verify it stays within targetDir
-			if !isSymlinkWithinDir(linkTarget, target, targetDir) {
+			allowedPrefix := filepath.Clean(targetDir) + string(os.PathSeparator)
+			if !strings.HasPrefix(resolved, allowedPrefix) && resolved != filepath.Clean(targetDir) {
 				continue
 			}
 			os.Remove(target) // Remove existing if any
