fix(security): replace /tmp fallback with sentinel path in containment guard

cursoragent · cursoragent · commit 3ecdbf26e78f · 2026-04-30T08:59:15.000Z
The _detect_safe_base_dir function was falling back to Path('/tmp') when
neither CLAUDE_PROJECT_DIR, CWD, nor a .git ancestor could be resolved.
Since SAFE_BASE_DIR is the containment floor for all write-path guards
via _is_relative_to, using /tmp effectively disabled containment as any
path under /tmp would pass validation.

Changed to return a non-existent sentinel path (/__nonexistent_containment_sentinel__)
that ensures all containment checks fail in degenerate cases, rather than
allowing writes to a world-writable directory.

Fixes: CWE-22 path traversal vulnerability in fallback path
diff --git a/.claude/hooks/Stop/invoke_skill_learning.py b/.claude/hooks/Stop/invoke_skill_learning.py
@@ -100,7 +100,16 @@ def _detect_safe_base_dir() -> Path:
     Without this guard, an attacker who can set the env var to '/' would
     defeat every write-path guard in this file. Mirrors the pattern in
     ``invoke_observation_sync._get_repo_root``.
+
+    Returns a non-existent sentinel path on failure to ensure all containment
+    checks fail rather than allowing writes to world-writable directories.
     """
+    # Sentinel path that should never exist. When returned, all _is_relative_to
+    # checks will fail, ensuring no writes are permitted in degenerate cases.
+    # Using /tmp would effectively disable containment since any path under
+    # /tmp would pass validation.
+    sentinel = Path("/__nonexistent_containment_sentinel__")
+
     script_dir = str(Path(__file__).resolve().parent)
     env_dir = os.environ.get("CLAUDE_PROJECT_DIR", "").strip()
     if env_dir:
@@ -126,15 +135,15 @@ def _detect_safe_base_dir() -> Path:
     try:
         cur = Path.cwd().resolve()
     except OSError:
-        # cwd may have been deleted; fall back to a known-safe directory
-        return Path.home() if Path.home().exists() else Path("/tmp")
+        # cwd may have been deleted; return sentinel to fail all containment checks
+        return sentinel
     while True:
         if (cur / ".git").exists():
             return cur
         parent = cur.parent
         if parent == cur:
-            # No .git found; fall back to a known-safe directory
-            return Path.home() if Path.home().exists() else Path("/tmp")
+            # No .git found; return sentinel to fail all containment checks
+            return sentinel
         cur = parent
 
 
