fix(backend): canonicalize symlink target before installs check#7671
Merged
fix(backend): canonicalize symlink target before installs check#7671
Conversation
Fixes an issue where symlinks with ".." components could bypass the installs directory check. A relative symlink like "../../http-tarballs/xxx" would produce a path that starts with the installs directory but actually resolves outside it after ".." components are evaluated. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes a security vulnerability in the symlink validation logic where relative symlinks containing .. components could bypass the installs directory check. The fix canonicalizes the symlink target path to resolve any directory traversal sequences before validating it stays within the allowed directory.
Changes:
- Added canonicalization of symlink targets to resolve
..components before directory boundary validation - Implemented fallback to original path if canonicalization fails
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
src/backend/mod.rs
Outdated
Comment on lines
557
to
559
| let target = target.canonicalize().unwrap_or(target); | ||
| if target.starts_with(*dirs::INSTALLS) { | ||
| return Some(path); |
There was a problem hiding this comment.
The canonicalize() call requires the path to exist on the filesystem, which may not be the case for all symlinks (e.g., broken symlinks or symlinks created during setup before their targets exist). When canonicalization fails for a non-existent but potentially malicious path, the fallback to the original target reintroduces the vulnerability this PR aims to fix. Consider using std::path::absolute() or manually resolving .. components with components() and push()/pop() to handle path normalization without requiring filesystem access.
Suggested change
| let target = target.canonicalize().unwrap_or(target); | |
| if target.starts_with(*dirs::INSTALLS) { | |
| return Some(path); | |
| if let Ok(target) = target.canonicalize() { | |
| if target.starts_with(*dirs::INSTALLS) { | |
| return Some(path); | |
| } |
src/backend/mod.rs
Outdated
| path.parent().unwrap_or(&path).join(&target) | ||
| }; | ||
| // Canonicalize to resolve any ".." components before checking | ||
| let target = target.canonicalize().unwrap_or(target); |
There was a problem hiding this comment.
Asymmetric canonicalization breaks symlink comparison for legitimate paths
Low Severity
Canonicalizing target while comparing against a non-canonicalized dirs::INSTALLS creates an asymmetric comparison. If the mise data directory path contains symlinks (e.g., ~/.local being a symlink), canonicalize() resolves all symlinks in target, producing a path that won't match the non-canonicalized dirs::INSTALLS. This causes legitimate user aliases inside installs to be incorrectly identified as outside, preventing them from being skipped during outdated version checks.
Hyperfine Performance
|
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.1.2 x -- echo |
20.2 ± 0.5 | 19.0 | 23.6 | 1.00 |
mise x -- echo |
20.7 ± 0.5 | 19.7 | 25.8 | 1.03 ± 0.04 |
mise env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.1.2 env |
19.7 ± 0.8 | 18.4 | 27.0 | 1.00 |
mise env |
20.1 ± 0.6 | 18.4 | 26.2 | 1.02 ± 0.05 |
mise hook-env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.1.2 hook-env |
20.0 ± 0.4 | 18.7 | 21.7 | 1.00 |
mise hook-env |
21.0 ± 0.6 | 19.6 | 24.8 | 1.05 ± 0.04 |
mise ls
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.1.2 ls |
18.3 ± 0.6 | 17.2 | 25.8 | 1.00 |
mise ls |
18.9 ± 0.6 | 17.7 | 23.3 | 1.04 ± 0.05 |
xtasks/test/perf
| Command | mise-2026.1.2 | mise | Variance |
|---|---|---|---|
| install (cached) | 112ms | 113ms | +0% |
| ls (cached) | 68ms | 68ms | +0% |
| bin-paths (cached) | 71ms | 72ms | -1% |
| task-ls (cached) | 286ms | 288ms | +0% |
…nicalization Address PR review feedback on d32e4b2: 1. Non-existent symlink targets (medium severity): When canonicalize() fails because the target doesn't exist, return None instead of falling back to the uncanonicalized path. This prevents path traversal bypass with symlinks like "../../outside/nonexistent". 2. Asymmetric comparison (low severity): Canonicalize dirs::INSTALLS before comparison so both sides are consistently resolved. This fixes false negatives when the mise data directory contains symlinks (e.g., ~/.local being a symlink). Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
jdx
pushed a commit
that referenced
this pull request
Jan 16, 2026
### 🚀 Features - **(s3)** add S3 backend for private artifact storage by @jdx in [#7668](#7668) - **(upgrade)** use installed_tool completer for mise upgrade by @jdx in [#7670](#7670) - **(upgrade)** add --exclude flag to mise upgrade command by @jdx in [#7669](#7669) - add no hooks and no env flags by @aacebedo in [#7560](#7560) ### 🐛 Bug Fixes - **(backend)** allow upgrading vfox backend tools with symlinked installations by @TyceHerrman in [#7012](#7012) - **(backend)** reject architecture mismatches in asset selection by @jdx in [#7672](#7672) - **(backend)** canonicalize symlink target before installs check by @jdx in [#7671](#7671) - **(self-update)** skip update when already at latest version by @jdx in [#7666](#7666) - fall back to GITHUB_TOKEN for github.com by @subdigital in [#7667](#7667) - GitHub token fallback by @subdigital in [#7673](#7673) - inherit tasks from parent configs in monorepos by @chadxz in [#7643](#7643) ### 📚 Documentation - **(contributing)** update registry examples by @scop in [#7660](#7660) - **(contributing)** update registry PR title rule by @scop in [#7663](#7663) - remove 404 link from contributing by @opswole in [#7692](#7692) ### 📦️ Dependency Updates - update ghcr.io/jdx/mise:alpine docker digest to 11f659e by @renovate[bot] in [#7685](#7685) - update ghcr.io/jdx/mise:copr docker digest to 3adaea4 by @renovate[bot] in [#7686](#7686) - update ghcr.io/jdx/mise:deb docker digest to 8bbca53 by @renovate[bot] in [#7687](#7687) - update ghcr.io/jdx/mise:rpm docker digest to de81415 by @renovate[bot] in [#7688](#7688) - update mcr.microsoft.com/devcontainers/rust:1 docker digest to 282e805 by @renovate[bot] in [#7690](#7690) - update rust docker digest to bed2d7f by @renovate[bot] in [#7691](#7691) ### 📦 Registry - add oh-my-posh by @scop in [#7659](#7659) - add bibtex-tidy (npm:bibtex-tidy) by @3w36zj6 in [#7677](#7677) - remove misconfigured bin_path option from kscript by @risu729 in [#7693](#7693) ### New Contributors - @opswole made their first contribution in [#7692](#7692) - @subdigital made their first contribution in [#7673](#7673) - @aacebedo made their first contribution in [#7560](#7560) ## 📦 Aqua Registry Updates #### New Packages (5) - [`BeaconBay/ck`](https://github.com/BeaconBay/ck) - [`d-kuro/gwq`](https://github.com/d-kuro/gwq) - [`kubernetes/cloud-provider-gcp/gke-gcloud-auth-plugin`](https://github.com/kubernetes/cloud-provider-gcp/gke-gcloud-auth-plugin) - [`smithy-lang/smithy`](https://github.com/smithy-lang/smithy) - [`tassiovirginio/try-rs`](https://github.com/tassiovirginio/try-rs) #### Updated Packages (1) - [`dprint/dprint`](https://github.com/dprint/dprint)
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this pull request
Jan 22, 2026
## [2026.1.5](https://github.com/jdx/mise/compare/v2026.1.4..v2026.1.5) - 2026-01-19 ### 🚀 Features - **(complete)** add PowerShell completion support by @jdx in [#7746](jdx/mise#7746) - **(release)** add LLM-generated prose summary to release notes by @jdx in [#7737](jdx/mise#7737) - **(vfox)** add semver Lua module for version sorting by @jdx in [#7739](jdx/mise#7739) - **(vfox)** add rolling release support with checksum tracking by @jdx in [#7757](jdx/mise#7757) - dry filetask parsing and validation by @makp0 in [#7738](jdx/mise#7738) ### 🐛 Bug Fixes - **(completions)** bump usage-cli to 2.13.1 for PowerShell support by @jdx in [#7756](jdx/mise#7756) - schema missing env required string variant by @vadimpiven in [#7734](jdx/mise#7734) - validate unknown fields in filetask headers by @makp0 in [#7733](jdx/mise#7733) - disable schemacrawler test by @jdx in [#7743](jdx/mise#7743) - replace double forward slash with single slash in get_task_lists by @collinstevens in [#7744](jdx/mise#7744) - require LLM for release notes and include aqua section by @jdx in [#7745](jdx/mise#7745) - preserve {{ version }} in tool options during config load by @jdx in [#7755](jdx/mise#7755) ### 📚 Documentation - add documentation URL structure guidance to CLAUDE.md by @jdx in [#7740](jdx/mise#7740) - add pitchfork promotion by @jdx in [#7747](jdx/mise#7747) ### 📦️ Dependency Updates - relax version constraints and update dependencies by @jdx in [#7736](jdx/mise#7736) - lock file maintenance by @renovate[bot] in [#7749](jdx/mise#7749) ### Chore - bump xx to 2.3.1 by @jdx in [#7753](jdx/mise#7753) ### New Contributors - @collinstevens made their first contribution in [#7744](jdx/mise#7744) - @makp0 made their first contribution in [#7738](jdx/mise#7738) - @vadimpiven made their first contribution in [#7734](jdx/mise#7734) ## [2026.1.4](https://github.com/jdx/mise/compare/v2026.1.3..v2026.1.4) - 2026-01-17 ### 🚀 Features - **(conda)** add dependency locking for reproducible installations by @jdx in [#7708](jdx/mise#7708) - **(http)** add JSON filter syntax for version extraction by @jdx in [#7707](jdx/mise#7707) - **(http)** add version_expr support and Tera templating by @jdx in [#7723](jdx/mise#7723) - **(task)** add [monorepo].config_roots for explicit config root listing by @jdx in [#7705](jdx/mise#7705) - **(task)** support env vars in task dependencies by @jdx in [#7724](jdx/mise#7724) ### 🐛 Bug Fixes - **(conda)** fix hardcoded library paths in conda packages by @jdx in [#7713](jdx/mise#7713) - **(env)** avoid venv/go backend deadlock during env resolution by @stk0vrfl0w in [#7696](jdx/mise#7696) - **(locked)** exempt tool stubs from lockfile requirements by @jdx in [#7729](jdx/mise#7729) - **(python)** sort CPython versions at end of ls-remote output by @jdx in [#7721](jdx/mise#7721) - **(task)** resolve remote task files before display and validation commands by @yannrouillard in [#7681](jdx/mise#7681) - **(task)** support monorepo paths in `mise tasks deps` by @chadxz in [#7699](jdx/mise#7699) - **(task)** resolve all monorepo path hints in deps by @chadxz in [#7698](jdx/mise#7698) ### 📚 Documentation - remove outdated roadmap page by @jdx in [#7726](jdx/mise#7726) ### ⚡ Performance - **(task)** fix task-ls cached performance regression by @jdx in [#7716](jdx/mise#7716) ### 📦️ Dependency Updates - replace dependency @tsconfig/node22 with @tsconfig/node24 by @renovate[bot] in [#7618](jdx/mise#7618) ### 📦 Registry - add aqua backend for smithy by @jdx in [#7661](jdx/mise#7661) - remove low-usage asdf plugins by @jdx in [#7701](jdx/mise#7701) - disable mirrord test by @jdx in [#7703](jdx/mise#7703) - use vfox-dotnet as default backend by @jdx in [#7704](jdx/mise#7704) - use vfox-lua as default lua backend by @jdx in [#7706](jdx/mise#7706) - add vfox backend for redis by @jdx in [#7709](jdx/mise#7709) - use vfox-postgres as default postgres backend by @jdx in [#7710](jdx/mise#7710) - use github backend for kotlin by @jdx in [#7711](jdx/mise#7711) - add vfox backend for leiningen by @jdx in [#7714](jdx/mise#7714) - use pipx backend for meson by @jdx in [#7712](jdx/mise#7712) - use github backend for crystal by @jdx in [#7715](jdx/mise#7715) - use conda backend for sqlite by @jdx in [#7718](jdx/mise#7718) - use conda backend for make by @jdx in [#7719](jdx/mise#7719) - swift-package-list use github backend by @jdx in [#7720](jdx/mise#7720) ### Chore - increase macos release build timeout to 90 minutes by @jdx in [#7725](jdx/mise#7725) ### New Contributors - @yannrouillard made their first contribution in [#7681](jdx/mise#7681) - @stk0vrfl0w made their first contribution in [#7696](jdx/mise#7696) ## [2026.1.3](https://github.com/jdx/mise/compare/v2026.1.2..v2026.1.3) - 2026-01-16 ### 🚀 Features - **(s3)** add S3 backend for private artifact storage by @jdx in [#7668](jdx/mise#7668) - **(upgrade)** use installed_tool completer for mise upgrade by @jdx in [#7670](jdx/mise#7670) - **(upgrade)** add --exclude flag to mise upgrade command by @jdx in [#7669](jdx/mise#7669) - add no hooks and no env flags by @aacebedo in [#7560](jdx/mise#7560) ### 🐛 Bug Fixes - **(backend)** allow upgrading vfox backend tools with symlinked installations by @TyceHerrman in [#7012](jdx/mise#7012) - **(backend)** reject architecture mismatches in asset selection by @jdx in [#7672](jdx/mise#7672) - **(backend)** canonicalize symlink target before installs check by @jdx in [#7671](jdx/mise#7671) - **(npm)** avoid circular dependency when npm is in dependencies by @AprilNEA in [#7644](jdx/mise#7644) - **(self-update)** skip update when already at latest version by @jdx in [#7666](jdx/mise#7666) - fall back to GITHUB_TOKEN for github.com by @subdigital in [#7667](jdx/mise#7667) - GitHub token fallback by @subdigital in [#7673](jdx/mise#7673) - inherit tasks from parent configs in monorepos by @chadxz in [#7643](jdx/mise#7643) ### 📚 Documentation - **(contributing)** update registry examples by @scop in [#7660](jdx/mise#7660) - **(contributing)** update registry PR title rule by @scop in [#7663](jdx/mise#7663) - remove 404 link from contributing by @opswole in [#7692](jdx/mise#7692) - clarify that backend plugins should sort the version list by @ofalvai in [#7680](jdx/mise#7680) ### 📦️ Dependency Updates - update ghcr.io/jdx/mise:alpine docker digest to 11f659e by @renovate[bot] in [#7685](jdx/mise#7685) - update ghcr.io/jdx/mise:copr docker digest to 3adaea4 by @renovate[bot] in [#7686](jdx/mise#7686) - update ghcr.io/jdx/mise:deb docker digest to 8bbca53 by @renovate[bot] in [#7687](jdx/mise#7687) - update ghcr.io/jdx/mise:rpm docker digest to de81415 by @renovate[bot] in [#7688](jdx/mise#7688) - update mcr.microsoft.com/devcontainers/rust:1 docker digest to 282e805 by @renovate[bot] in [#7690](jdx/mise#7690) - update rust docker digest to bed2d7f by @renovate[bot] in [#7691](jdx/mise#7691) ### 📦 Registry - add oh-my-posh by @scop in [#7659](jdx/mise#7659) - add bibtex-tidy (npm:bibtex-tidy) by @3w36zj6 in [#7677](jdx/mise#7677) - remove misconfigured bin_path option from kscript by @risu729 in [#7693](jdx/mise#7693) ### New Contributors - @AprilNEA made their first contribution in [#7644](jdx/mise#7644) - @opswole made their first contribution in [#7692](jdx/mise#7692) - @subdigital made their first contribution in [#7673](jdx/mise#7673) - @aacebedo made their first contribution in [#7560](jdx/mise#7560)
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this pull request
Jan 25, 2026
## [2026.1.5](https://github.com/jdx/mise/compare/v2026.1.4..v2026.1.5) - 2026-01-19 ### 🚀 Features - **(complete)** add PowerShell completion support by @jdx in [#7746](jdx/mise#7746) - **(release)** add LLM-generated prose summary to release notes by @jdx in [#7737](jdx/mise#7737) - **(vfox)** add semver Lua module for version sorting by @jdx in [#7739](jdx/mise#7739) - **(vfox)** add rolling release support with checksum tracking by @jdx in [#7757](jdx/mise#7757) - dry filetask parsing and validation by @makp0 in [#7738](jdx/mise#7738) ### 🐛 Bug Fixes - **(completions)** bump usage-cli to 2.13.1 for PowerShell support by @jdx in [#7756](jdx/mise#7756) - schema missing env required string variant by @vadimpiven in [#7734](jdx/mise#7734) - validate unknown fields in filetask headers by @makp0 in [#7733](jdx/mise#7733) - disable schemacrawler test by @jdx in [#7743](jdx/mise#7743) - replace double forward slash with single slash in get_task_lists by @collinstevens in [#7744](jdx/mise#7744) - require LLM for release notes and include aqua section by @jdx in [#7745](jdx/mise#7745) - preserve {{ version }} in tool options during config load by @jdx in [#7755](jdx/mise#7755) ### 📚 Documentation - add documentation URL structure guidance to CLAUDE.md by @jdx in [#7740](jdx/mise#7740) - add pitchfork promotion by @jdx in [#7747](jdx/mise#7747) ### 📦️ Dependency Updates - relax version constraints and update dependencies by @jdx in [#7736](jdx/mise#7736) - lock file maintenance by @renovate[bot] in [#7749](jdx/mise#7749) ### Chore - bump xx to 2.3.1 by @jdx in [#7753](jdx/mise#7753) ### New Contributors - @collinstevens made their first contribution in [#7744](jdx/mise#7744) - @makp0 made their first contribution in [#7738](jdx/mise#7738) - @vadimpiven made their first contribution in [#7734](jdx/mise#7734) ## [2026.1.4](https://github.com/jdx/mise/compare/v2026.1.3..v2026.1.4) - 2026-01-17 ### 🚀 Features - **(conda)** add dependency locking for reproducible installations by @jdx in [#7708](jdx/mise#7708) - **(http)** add JSON filter syntax for version extraction by @jdx in [#7707](jdx/mise#7707) - **(http)** add version_expr support and Tera templating by @jdx in [#7723](jdx/mise#7723) - **(task)** add [monorepo].config_roots for explicit config root listing by @jdx in [#7705](jdx/mise#7705) - **(task)** support env vars in task dependencies by @jdx in [#7724](jdx/mise#7724) ### 🐛 Bug Fixes - **(conda)** fix hardcoded library paths in conda packages by @jdx in [#7713](jdx/mise#7713) - **(env)** avoid venv/go backend deadlock during env resolution by @stk0vrfl0w in [#7696](jdx/mise#7696) - **(locked)** exempt tool stubs from lockfile requirements by @jdx in [#7729](jdx/mise#7729) - **(python)** sort CPython versions at end of ls-remote output by @jdx in [#7721](jdx/mise#7721) - **(task)** resolve remote task files before display and validation commands by @yannrouillard in [#7681](jdx/mise#7681) - **(task)** support monorepo paths in `mise tasks deps` by @chadxz in [#7699](jdx/mise#7699) - **(task)** resolve all monorepo path hints in deps by @chadxz in [#7698](jdx/mise#7698) ### 📚 Documentation - remove outdated roadmap page by @jdx in [#7726](jdx/mise#7726) ### ⚡ Performance - **(task)** fix task-ls cached performance regression by @jdx in [#7716](jdx/mise#7716) ### 📦️ Dependency Updates - replace dependency @tsconfig/node22 with @tsconfig/node24 by @renovate[bot] in [#7618](jdx/mise#7618) ### 📦 Registry - add aqua backend for smithy by @jdx in [#7661](jdx/mise#7661) - remove low-usage asdf plugins by @jdx in [#7701](jdx/mise#7701) - disable mirrord test by @jdx in [#7703](jdx/mise#7703) - use vfox-dotnet as default backend by @jdx in [#7704](jdx/mise#7704) - use vfox-lua as default lua backend by @jdx in [#7706](jdx/mise#7706) - add vfox backend for redis by @jdx in [#7709](jdx/mise#7709) - use vfox-postgres as default postgres backend by @jdx in [#7710](jdx/mise#7710) - use github backend for kotlin by @jdx in [#7711](jdx/mise#7711) - add vfox backend for leiningen by @jdx in [#7714](jdx/mise#7714) - use pipx backend for meson by @jdx in [#7712](jdx/mise#7712) - use github backend for crystal by @jdx in [#7715](jdx/mise#7715) - use conda backend for sqlite by @jdx in [#7718](jdx/mise#7718) - use conda backend for make by @jdx in [#7719](jdx/mise#7719) - swift-package-list use github backend by @jdx in [#7720](jdx/mise#7720) ### Chore - increase macos release build timeout to 90 minutes by @jdx in [#7725](jdx/mise#7725) ### New Contributors - @yannrouillard made their first contribution in [#7681](jdx/mise#7681) - @stk0vrfl0w made their first contribution in [#7696](jdx/mise#7696) ## [2026.1.3](https://github.com/jdx/mise/compare/v2026.1.2..v2026.1.3) - 2026-01-16 ### 🚀 Features - **(s3)** add S3 backend for private artifact storage by @jdx in [#7668](jdx/mise#7668) - **(upgrade)** use installed_tool completer for mise upgrade by @jdx in [#7670](jdx/mise#7670) - **(upgrade)** add --exclude flag to mise upgrade command by @jdx in [#7669](jdx/mise#7669) - add no hooks and no env flags by @aacebedo in [#7560](jdx/mise#7560) ### 🐛 Bug Fixes - **(backend)** allow upgrading vfox backend tools with symlinked installations by @TyceHerrman in [#7012](jdx/mise#7012) - **(backend)** reject architecture mismatches in asset selection by @jdx in [#7672](jdx/mise#7672) - **(backend)** canonicalize symlink target before installs check by @jdx in [#7671](jdx/mise#7671) - **(npm)** avoid circular dependency when npm is in dependencies by @AprilNEA in [#7644](jdx/mise#7644) - **(self-update)** skip update when already at latest version by @jdx in [#7666](jdx/mise#7666) - fall back to GITHUB_TOKEN for github.com by @subdigital in [#7667](jdx/mise#7667) - GitHub token fallback by @subdigital in [#7673](jdx/mise#7673) - inherit tasks from parent configs in monorepos by @chadxz in [#7643](jdx/mise#7643) ### 📚 Documentation - **(contributing)** update registry examples by @scop in [#7660](jdx/mise#7660) - **(contributing)** update registry PR title rule by @scop in [#7663](jdx/mise#7663) - remove 404 link from contributing by @opswole in [#7692](jdx/mise#7692) - clarify that backend plugins should sort the version list by @ofalvai in [#7680](jdx/mise#7680) ### 📦️ Dependency Updates - update ghcr.io/jdx/mise:alpine docker digest to 11f659e by @renovate[bot] in [#7685](jdx/mise#7685) - update ghcr.io/jdx/mise:copr docker digest to 3adaea4 by @renovate[bot] in [#7686](jdx/mise#7686) - update ghcr.io/jdx/mise:deb docker digest to 8bbca53 by @renovate[bot] in [#7687](jdx/mise#7687) - update ghcr.io/jdx/mise:rpm docker digest to de81415 by @renovate[bot] in [#7688](jdx/mise#7688) - update mcr.microsoft.com/devcontainers/rust:1 docker digest to 282e805 by @renovate[bot] in [#7690](jdx/mise#7690) - update rust docker digest to bed2d7f by @renovate[bot] in [#7691](jdx/mise#7691) ### 📦 Registry - add oh-my-posh by @scop in [#7659](jdx/mise#7659) - add bibtex-tidy (npm:bibtex-tidy) by @3w36zj6 in [#7677](jdx/mise#7677) - remove misconfigured bin_path option from kscript by @risu729 in [#7693](jdx/mise#7693) ### New Contributors - @AprilNEA made their first contribution in [#7644](jdx/mise#7644) - @opswole made their first contribution in [#7692](jdx/mise#7692) - @subdigital made their first contribution in [#7673](jdx/mise#7673) - @aacebedo made their first contribution in [#7560](jdx/mise#7560)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to #7012 - addresses an issue flagged by Cursor Bugbot.
The
symlink_pathfunction joins relative symlink targets with the parent directory but didn't canonicalize the result before checkingstarts_with(*dirs::INSTALLS). A relative symlink containing..components (e.g.,../../http-tarballs/xxx) would produce a path like/path/to/installs/tool/../../http-tarballs/xxxthat passes thestarts_withcheck despite the actual resolved path being outside the installs directory.Changes
canonicalize()call to resolve..components before thestarts_withcheck🤖 Generated with Claude Code
Note
Enhances symlink detection in
symlink_pathto avoid misclassifying user-created aliases as backend-managed installs.starts_withto handle..componentsdirs::INSTALLSfor consistent comparison (supports symlinked data dirs)Written by Cursor Bugbot for commit a567b79. This will update automatically on new commits. Configure here.