fix(security): resolve open code-scanning alerts (archive extraction, command injection, untrusted checkout, integer bounds)#3718
Merged
Conversation
added 3 commits
June 9, 2026 07:49
fix(codegraph): resolve symlinks when extracting third-party bundle The lexical tar/zip-slip guard missed the symlink-redirect escape: an in-bounds symlink extracted as a parent component lets a later entry be written through it to land outside the cache dir. Resolve the real parent with EvalSymlinks before validating, and judge a symlink target from its resolved location. Closes the go/unsafe-unzip-symlink + go/zipslip alerts. @
ci(e2e-bot): gate untrusted PR-head run behind an environment Running PR-head code with the provider secret was guarded only by the author_association check. Add an `e2e-bot` deployment environment (configure required reviewers to force per-run approval) and pin the checkout to the head commit resolved at trigger time, detached, so a mid-run force-push cannot swap in different code. Addresses actions/untrusted-checkout-toctou. @
fix: bound integer conversions flagged by code scanning parseHexColor parses single bytes; parse them as 8-bit unsigned and return int so the per-channel value is provably in range, dropping the int64->int conversions at the call sites. Clamp the Myers maxD against a negative n+m overflow too, so make() can never see a wrapped size. @
SuMuxi66
pushed a commit
to SuMuxi66/DeepSeek-Reasonix
that referenced
this pull request
Jun 10, 2026
… command injection, untrusted checkout, integer bounds) (esengine#3718) * @ fix(codegraph): resolve symlinks when extracting third-party bundle The lexical tar/zip-slip guard missed the symlink-redirect escape: an in-bounds symlink extracted as a parent component lets a later entry be written through it to land outside the cache dir. Resolve the real parent with EvalSymlinks before validating, and judge a symlink target from its resolved location. Closes the go/unsafe-unzip-symlink + go/zipslip alerts. @ * @ fix(scripts): run gh without a shell in backfill-issue-labels execSync built a shell command string from interpolated values; switch to execFileSync with an argv array so label and issue arguments can never be parsed as shell. Closes the js/command-line-injection alert. @ * @ ci(e2e-bot): gate untrusted PR-head run behind an environment Running PR-head code with the provider secret was guarded only by the author_association check. Add an `e2e-bot` deployment environment (configure required reviewers to force per-run approval) and pin the checkout to the head commit resolved at trigger time, detached, so a mid-run force-push cannot swap in different code. Addresses actions/untrusted-checkout-toctou. @ * @ fix: bound integer conversions flagged by code scanning parseHexColor parses single bytes; parse them as 8-bit unsigned and return int so the per-channel value is provably in range, dropping the int64->int conversions at the call sites. Clamp the Myers maxD against a negative n+m overflow too, so make() can never see a wrapped size. @ --------- Co-authored-by: reasonix <reasonix@deepseek.com>
dorokuma
pushed a commit
to dorokuma/DeepSeek-Reasonix
that referenced
this pull request
Jun 10, 2026
… command injection, untrusted checkout, integer bounds) (esengine#3718) * @ fix(codegraph): resolve symlinks when extracting third-party bundle The lexical tar/zip-slip guard missed the symlink-redirect escape: an in-bounds symlink extracted as a parent component lets a later entry be written through it to land outside the cache dir. Resolve the real parent with EvalSymlinks before validating, and judge a symlink target from its resolved location. Closes the go/unsafe-unzip-symlink + go/zipslip alerts. @ * @ fix(scripts): run gh without a shell in backfill-issue-labels execSync built a shell command string from interpolated values; switch to execFileSync with an argv array so label and issue arguments can never be parsed as shell. Closes the js/command-line-injection alert. @ * @ ci(e2e-bot): gate untrusted PR-head run behind an environment Running PR-head code with the provider secret was guarded only by the author_association check. Add an `e2e-bot` deployment environment (configure required reviewers to force per-run approval) and pin the checkout to the head commit resolved at trigger time, detached, so a mid-run force-push cannot swap in different code. Addresses actions/untrusted-checkout-toctou. @ * @ fix: bound integer conversions flagged by code scanning parseHexColor parses single bytes; parse them as 8-bit unsigned and return int so the per-channel value is provably in range, dropping the int64->int conversions at the call sites. Clamp the Myers maxD against a negative n+m overflow too, so make() can never see a wrapped size. @ --------- Co-authored-by: reasonix <reasonix@deepseek.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Addresses the open CodeQL code-scanning alerts on
main-v2. The error-level alerts are three real attack surfaces; the remaining error-level open alerts are local-CLI-by-design false positives (the bash tool,@-file references, slugified memory names, internal session/checkpoint paths) and are dismissed separately rather than wrapped in defensive checks that would contradict our "trust non-boundary code" rule.Archive extraction —
internal/codegraph/install.go(go/zipslip,go/unsafe-unzip-symlink)The bundle is downloaded from a pinned third-party release, so extraction is a genuine boundary. The lexical
../guard already blocked plain tar-slip, but missed the symlink-redirect variant: an in-bounds symlink extracted as a parent component lets a later entry be written through it to land outside the cache dir. Now the real parent is resolved withEvalSymlinksbefore validating, and a symlink target is judged from its resolved location. New regression testTestExtractRejectsSymlinkRedirectEscapeconstructs the exact two-link escape and proves it is refused; legitimate in-bundle symlinks still extract.Command injection —
scripts/backfill-issue-labels.mjs(js/command-line-injection)execSyncbuilt agh ...shell string from interpolated values. Switched toexecFileSync('gh', [argv])so no argument can be reparsed by a shell.Untrusted checkout —
.github/workflows/e2e-bot.yml(actions/untrusted-checkout-toctou)Running PR-head code with the provider secret was gated only by
author_association. Added ane2e-botdeployment environment (configure required reviewers in repo settings to force per-run human approval) and pinned the checkout to the head commit resolved at trigger time, detached, so a mid-run force-push can't swap in different code.Integer-bound warnings —
internal/cli/theme.go,internal/diff/diff.goparseHexColorparses single bytes; parse them as 8-bit unsigned and returnint, dropping theint64→intconversions at the call sites (go/incorrect-integer-conversion). Clamp the MyersmaxDagainst a negativen+moverflow as well, somake()can never receive a wrapped size (go/allocation-size-overflow).Verified:
go build ./...,go test ./internal/{codegraph,cli,diff}/,gofmt,node --check, and YAML parse all pass.