fix: audit fixes — path safety, shared reads, dir pruning#485
Merged
tomasz-tomczyk merged 4 commits intomainfrom May 7, 2026
Merged
fix: audit fixes — path safety, shared reads, dir pruning#485tomasz-tomczyk merged 4 commits intomainfrom
tomasz-tomczyk merged 4 commits intomainfrom
Conversation
… labels, dir pruning
- Normalize backslash separators in bulk JSON paths before filepath.Clean
so Windows-authored bulk JSON ("subdir\file.go") works on Unix
- Add source label to JSON parse errors so callers can distinguish file
vs stdin failures ("Error parsing JSON from bulk.json at byte …")
- Replace os.ReadFile with readFileShared in review_file.go, session_write.go,
github.go for consistent cross-process locking semantics
- Extract fileIgnored/dirIgnored helpers in session.go; prune ignored
directories early in walkDirSubsFirst instead of per-file
- Use GenerateConsoleCtrlEvent(CTRL_BREAK_EVENT) in terminateProcess on Windows
so the daemon's signal.NotifyContext handler runs before falling back to Kill
- Remove stale autodetect.go reference from AGENTS.md
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Move the backslash→slash replacement before isAbsoluteOrTraversal so
Windows-style traversal inputs ("subdir\..\..\etc\passwd") are rejected
on Unix too. Previously, filepath.Clean treated backslash as a literal
on Unix, so the check passed; after ReplaceAll the path became a real
traversal that landed in the review file as a corrupted key.
Also document dirIgnored's trailing-slash-only contract and add a test
for the backslash traversal rejection.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Locks the trailing-slash-only contract for dirIgnored (bare basename patterns like "node_modules" are not pruned at the directory level) and covers fileIgnored pattern matching including the dir/ prefix case. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #485 +/- ##
==========================================
- Coverage 69.19% 69.19% -0.01%
==========================================
Files 43 43
Lines 10829 10851 +22
==========================================
+ Hits 7493 7508 +15
- Misses 2767 2772 +5
- Partials 569 571 +2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
…ror no-offset path Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
"subdir\..\..\etc\passwd"on Unix would previously passisAbsoluteOrTraversal(filepath.Clean treats backslash as literal) then convert to a traversal pathos.ReadFilewithreadFileSharedfor review.json reads inreview_file.go,session_write.go,github.go— consistent Windows sharing-violation protectionfileIgnored/dirIgnoredhelpers insession.go; prune ignored directories early inwalkDirSubsFirstrather than per-fileGenerateConsoleCtrlEvent(CTRL_BREAK_EVENT)interminateProcesson Windows so the daemon's signal handler runs before falling back to TerminateProcessfileIgnored/dirIgnored, backslash traversal rejectionautodetect.goreference fromAGENTS.mdReview
Test plan
go test -race -count=1 ./...— passgolangci-lint run ./...— 0 issuesTestProcessBulkFileOrLineEntryRejectsBackslashTraversal,TestFileIgnored,TestDirIgnored🤖 Generated with Claude Code