fix: block sensitive symlink targets

2026-05-25 16:28:57 +08:00
parent dc8b06f961
commit 2f28b4880e
4 changed files with 31 additions and 0 deletions
--- a/internal/codexhome/bounds.go
+++ b/internal/codexhome/bounds.go
@@ -101,6 +101,9 @@ func rejectSymlinkEscape(home string, candidate string) error {
 		if !isInside(evaluatedHome, currentEvaluated) {
 			return ErrOutsideCodexHome
 		}
+		if IsForbidden(currentEvaluated, evaluatedHome) {
+			return ErrForbiddenPath
+		}
 	}
 	return nil
 }
--- a/internal/codexhome/bounds_test.go
+++ b/internal/codexhome/bounds_test.go
@@ -1,6 +1,7 @@
 package codexhome

 import (
+	"errors"
 	"os"
 	"path/filepath"
 	"testing"
@@ -91,3 +92,22 @@ func TestResolveAgentTOMLRejectsUnsafeNames(t *testing.T) {
 		})
 	}
 }
+
+func TestResolveAgentTOMLRejectsSymlinkToAuthJSON(t *testing.T) {
+	home := filepath.Join(t.TempDir(), ".codex")
+	agentsDir := filepath.Join(home, "agents")
+	if err := os.MkdirAll(agentsDir, 0o755); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.WriteFile(filepath.Join(home, "auth.json"), []byte("{}"), 0o600); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.Symlink("../auth.json", filepath.Join(agentsDir, "demo.toml")); err != nil {
+		t.Fatal(err)
+	}
+
+	_, err := ResolveAgentTOML(home, "demo.toml")
+	if !errors.Is(err, ErrForbiddenPath) {
+		t.Fatalf("expected ErrForbiddenPath, got %v", err)
+	}
+}