[codex] harden path safety and docs wording#155
Merged
Conversation
|
You have used all of your free Bugbot PR reviews. To receive reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This change hardens
cc-sddagainst unsafe filesystem path handling and follows up with a small wording cleanup in the English docs.The main user-facing issue is that the CLI accepted manifest- and template-derived paths without enforcing repository boundaries. In the current threat model, the realistic risk is not a remote HTTP exploit but a supply-chain or workspace-trust attack: a user runs the tool with a malicious manifest or inside a repository that contains attacker-controlled path structures such as symlinks.
Root Cause
The root cause was inconsistent trust-boundary handling around filesystem paths.
buildFileOperations()resolved source and destination paths directly from manifest and template inputs, but it did not verify that template sources remained inside the expected template root or that generated outputs remained inside the working repository.shared-rulesnames were also accepted without strict validation, which allowed traversal-oriented inputs to reach path resolution. On the write side, the executor wrote to resolved paths without rejecting symlinked destinations or symlinked parent path components.Fix
The fix introduces a small path-safety layer and applies it at both planning time and write time.
A new
pathSafetyutility now validates that resolved paths stay within an allowed root and that path-bearing inputs are relative before resolution.fileOperationsnow uses these checks for manifest sources, template directories, generated output paths, and fallback template lookups.shared-ruleshandling was tightened to allow only safe markdown basenames. The executor now re-validates destination and backup paths against the repository boundary and refuses to write through symlinked paths.This PR also updates a few English documentation lines to replace
team-scale AI-driven developmentwith the more naturalAI-driven development at team scale.Validation
I added regression coverage for:
cwdshared-rulesChecks run:
npm testintools/cc-sdd(193 tests passing)Impact
For normal usage, behavior is unchanged except that invalid or hostile path inputs now fail closed instead of being resolved and written. This should reduce the blast radius of malicious manifests, unsafe template metadata, and symlink-based repository tricks without changing the expected installation flow for valid templates.