diff --git a/internal/agents/store.go b/internal/agents/store.go index 79e330e..92c188a 100644 --- a/internal/agents/store.go +++ b/internal/agents/store.go @@ -18,6 +18,16 @@ type Store struct { } func (s Store) List() ([]AgentDefinition, error) { + agentsPath := filepath.Join(s.CodexHome, "agents") + if info, err := os.Lstat(agentsPath); err != nil { + if os.IsNotExist(err) { + return []AgentDefinition{}, nil + } + return nil, err + } else if info.Mode()&os.ModeSymlink != 0 { + return nil, codexhome.ErrForbiddenPath + } + agentsDir, err := codexhome.ResolveInside(s.CodexHome, "agents") if err != nil { return nil, err diff --git a/internal/agents/store_test.go b/internal/agents/store_test.go index ae3a101..7258b75 100644 --- a/internal/agents/store_test.go +++ b/internal/agents/store_test.go @@ -179,3 +179,35 @@ func TestListAgentsRejectsSymlinkToNonAgentToml(t *testing.T) { t.Fatalf("non-agent TOML content leaked: %#v", got[0]) } } + +func TestListAgentsRejectsSymlinkedAgentsDirectory(t *testing.T) { + root := t.TempDir() + if err := os.WriteFile(filepath.Join(root, "config.toml"), []byte(`name = "project-secret"`), 0o600); err != nil { + t.Fatal(err) + } + if err := os.Symlink(".", filepath.Join(root, "agents")); err != nil { + t.Fatal(err) + } + + store := Store{CodexHome: root} + got, err := store.List() + if err == nil { + t.Fatalf("expected symlinked agents directory to be rejected, got %#v", got) + } + if strings.Contains(err.Error(), "project-secret") { + t.Fatalf("symlinked agents directory leaked sensitive content in error: %v", err) + } + for _, item := range got { + if strings.Contains(item.Name, "project-secret") || + strings.Contains(item.Description, "project-secret") || + strings.Contains(item.DeveloperInstructions, "project-secret") || + strings.Contains(item.ParseError, "project-secret") { + t.Fatalf("symlinked agents directory leaked sensitive content: %#v", item) + } + for key, value := range item.ExtraFields { + if strings.Contains(key, "project-secret") || strings.Contains(value, "project-secret") { + t.Fatalf("symlinked agents directory leaked sensitive extra field: %#v", item.ExtraFields) + } + } + } +} diff --git a/progress.md b/progress.md index dbe58d6..04a270b 100644 --- a/progress.md +++ b/progress.md @@ -13,6 +13,8 @@ | 2026-05-25 | 2 | coding agent | TDD 实现 Agent TOML 只读读取和 `/api/agents` | 完成;提交 `feat: read codex agent definitions` | | 2026-05-25 | 2 | spec review | 规格审查未通过:重复键 TOML 可 valid;agent symlink 可读取 root `config.toml` | coding agent 按 blocking 范围修复 | | 2026-05-25 | 2 | coding agent | TDD 修复 agent TOML parser 和 symlink 边界 | 完成;提交 `fix: validate agent toml boundaries` | +| 2026-05-25 | 2 | spec review | 复审未通过:`agents -> .` 目录 symlink 可读取 root `config.toml` | coding agent 按 blocking 范围修复 | +| 2026-05-25 | 2 | coding agent | TDD 修复 symlinked `agents` 目录边界 | 完成;提交 `fix: reject symlinked agents directory` | ## Test Results @@ -52,6 +54,11 @@ | 2026-05-25 | `go test ./...` | PASS | Required verification | | 2026-05-25 | `git diff --check` | PASS | Required verification | | 2026-05-25 | `git status --short` | PASS | Required verification;Phase 2 review fix 文件待提交 | +| 2026-05-25 | `go test ./internal/agents` | FAIL | TDD 红灯:`agents -> .` 目录 symlink 将 root `config.toml` 读取为 valid agent 并泄漏 `project-secret` | +| 2026-05-25 | `go test ./internal/agents` | PASS | symlinked `agents` 目录被拒绝;leaf symlink 和 duplicate TOML 回归保持通过 | +| 2026-05-25 | `go test ./...` | PASS | Required verification | +| 2026-05-25 | `git diff --check` | PASS | Required verification | +| 2026-05-25 | `git status --short` | PASS | Required verification;Phase 2 symlinked directory fix 文件待提交 | ## Bug Loop @@ -64,3 +71,4 @@ | 1 | `ResolveAgentTOML` 可通过 `agents/*.toml` symlink 指向 root `auth.json` 绕过 forbidden 检查 | 在 symlink 解析后对 evaluated final target 再执行 forbidden 检查 | `go test ./internal/codexhome` PASS | | 2 | Agent TOML parser 对重复键使用 map 覆盖,且未校验 bare key | 增加 duplicate key 和 invalid key 检测,遇到 malformed TOML 返回单条 invalid | `go test ./internal/agents` PASS | | 2 | Agent symlink 只校验最终路径在 Codex home 内,可读取 root `config.toml` | 在 agent store 层拒绝 `.toml` symlink,避免读取非 agent TOML 内容 | `go test ./internal/agents` PASS | +| 2 | `agents` 目录 symlink 会让枚举逻辑读取 Codex home root 的 `.toml` 文件 | 在 `Store.List` 对 lexical `CodexHome/agents` 先 `Lstat`,发现 symlink 直接返回 forbidden error | `go test ./internal/agents` PASS | diff --git a/task_plan.md b/task_plan.md index f607e83..db36e1a 100644 --- a/task_plan.md +++ b/task_plan.md @@ -33,3 +33,4 @@ | 2026-05-25 | 1 | 代码质量审查发现 symlink 边界绕过、敏感文件大小写匹配、缺少操作域 resolver、`CODEX_HOME` 未生效 | TDD 补充失败测试后修复 `codexhome` 和 `app` | 已通过最终验证 | | 2026-05-25 | 1 | 规格复审发现 `ResolveAgentTOML` 可通过 `agents/*.toml` symlink 指向 root `auth.json` 绕过 forbidden 检查 | TDD 补充 symlink-to-auth 测试后检查 resolved final target | 已通过最终验证 | | 2026-05-25 | 2 | 规格审查发现重复键 TOML 被报告为 valid,且 agent symlink 可读取 Codex home 内非 agent TOML | TDD 补充 duplicate key、invalid key、symlink-to-config 测试后修复 parser 和 agent store 边界 | 已通过最终验证 | +| 2026-05-25 | 2 | 复审发现 `agents -> .` 目录 symlink 可把 root `config.toml` 当作 agent 读取 | TDD 补充 symlinked agents directory 测试后在 `Store.List` 拒绝 symlinked `agents` 目录 | 已通过最终验证 |