Molecule AI Core-DevOps
5c741b3270
The pre-existing resolveInsideRoot (org_helpers.go) used only filepath.Abs, which does NOT resolve symlinks on Unix. A symlink planted inside the workspace that points outside (e.g. workspaces/dev/leaked → /etc) passed the lexical prefix check because /tmp/.../workspaces/dev/leaked lexically starts with /tmp/.../. Add filepath.EvalSymlinks after the lexical check: 1. Lexical check catches obvious .. escapes. 2. EvalSymlinks resolves symlinks; fails on broken symlinks. 3. Re-check the resolved path against absRoot — catches planted outbound symlinks (CWE-59). Broken symlinks are rejected because EvalSymlinks returns an error, which propagates as "symlink resolve failed". This matches the regression test added in this PR. Without this fix, TestResolveInsideRoot_RejectsSymlinkTraversal (the CWE-59 regression test added alongside) FAILS on any Unix system where /tmp is a real directory (symlink test returns nil instead of error), causing CI/Platform (Go) to fail and blocking the continue-on-error unmask needed for Phase 4. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| cmd | ||
| internal | ||
| migrations | ||
| pkg/provisionhook | ||
| .air.toml | ||
| .ci-force | ||
| .gitignore | ||
| .golangci.yaml | ||
| Dockerfile | ||
| Dockerfile.dev | ||
| Dockerfile.tenant | ||
| entrypoint-tenant.sh | ||
| go.mod | ||
| go.sum | ||