🛡️ Sentinel: [HIGH] Fix Symlink Vulnerability in .env Handling

[abhimehro]

🛡️ Sentinel: [CRITICAL/HIGH] Fix Symlink Vulnerability in .env Handling

🚨 Severity: HIGH
💡 Vulnerability: Insecure file operations (chmod/write) on .env file without checking for symlinks.
🎯 Impact: An attacker with local write access could create a symlink named .env pointing to sensitive system files (e.g., /etc/passwd or critical binaries), causing the script to change their permissions to 600 (DoS) or overwrite them (Data Loss/Corruption).
🔧 Fix: Added os.path.islink checks before operations. Switched to os.open with secure flags and file descriptor-based chmod to prevent race conditions.
✅ Verification: Added unit tests verifying symlinks are skipped and files are created with correct permissions. Ran reproduction script to confirm fix. All 75 tests passed.

---

PR created automatically by Jules for task 6511438001568482826 started by @abhimehro

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[trunk-io]

Merging to main in this repository is managed by Trunk.

• To merge this pull request, check the box to the left or comment /trunk merge below.

[github-actions]

👋 Development Partner is reviewing this PR. Will provide feedback shortly.

[gemini-code-assist]

Summary of Changes

Hello @abhimehro, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a high-severity symlink vulnerability in the handling of .env files. The changes prevent malicious actors from exploiting insecure file operations (like chmod or write) on a symlinked .env file to compromise sensitive system files. The fix involves adding explicit symlink checks and employing more secure file creation and permission setting mechanisms, significantly enhancing the application's security posture against local privilege escalation or data corruption.

Highlights

• Symlink Vulnerability Fix: Implemented checks to prevent insecure operations on .env files if they are symlinks, mitigating potential Denial of Service or data loss by preventing modification or overwriting of arbitrary system files.
• Secure File Operations: Modified .env file writing to use os.open with specific flags and file descriptor-based chmod to avoid Time-of-Check-to-Time-of-Use (TOCTOU) race conditions and ensure correct permissions at creation.
• Enhanced Test Coverage: Added new unit tests to verify that symlinks are correctly handled (skipped) by both fix_env and check_env_permissions, and that .env files are created with the intended secure permissions.

Changelog

• .jules/sentinel.md
  • Added a new entry detailing the symlink vulnerability in .env handling, explaining its impact, the learning from it, and the prevention strategies.
• fix_env.py
  • Implemented a check using os.path.islink to abort .env writing if the path is a symlink.
  • Refactored .env file writing to use os.open with O_WRONLY | O_CREAT | O_TRUNC flags and stat.S_IRUSR | stat.S_IWUSR mode, ensuring secure permissions at creation and preventing race conditions.
  • Applied os.chmod directly to the file descriptor (fd) for enhanced security on Unix-like systems.
• main.py
  • Introduced a symlink check (os.path.islink) within check_env_permissions to prevent modifying permissions of a symlink target, logging a security warning if detected.
• tests/test_fix_env.py
  • Added a new test file for fix_env.
  • Included test_fix_env_skips_symlink to verify that fix_env correctly identifies and skips operations on symlinked .env files.
  • Added test_fix_env_creates_secure_file to confirm that fix_env creates .env files with 600 permissions.
• tests/test_plan_details.py
  • Imported importlib, os, and sys for more robust testing of color output.
  • Updated test_print_plan_details_with_colors to handle module reloading and environment patching for USE_COLORS more reliably.
• tests/test_symlink.py
  • Added a new test file for main's symlink handling.
  • Included test_check_env_permissions_skips_symlink to ensure check_env_permissions warns and skips symlinks, leaving target file permissions unchanged.
  • Added test_check_env_permissions_fixes_file to confirm that check_env_permissions correctly sets 600 permissions for regular files.

Activity

• Pull request was automatically created by Jules for task [6511438001568482826], initiated by @abhimehro.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

👋 Development Partner is reviewing this PR. Will provide feedback shortly.

[Copilot]

Pull request overview

Addresses a local symlink attack risk around .env permission fixing and rewriting, aiming to prevent chmod/write operations from following attacker-controlled symlinks.

Changes:

• Add symlink detection to check_env_permissions() to skip permission fixes on symlinks.
• Update fix_env.py to abort on .env symlinks and write via os.open with an intended secure permission flow.
• Add/adjust tests for symlink handling and fix a color-output test by reloading main under a forced “colors enabled” environment.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 11 comments.

Show a summary per file

File	Description
main.py	Skips permission fixing when the .env path is a symlink.
fix_env.py	Adds symlink guard and switches .env rewriting to os.open + fd-based handling.
tests/test_symlink.py	New integration-style tests for symlink skipping and permission fixing.
tests/test_fix_env.py	New tests validating fix_env symlink skipping and 600 perms.
tests/test_plan_details.py	Reloads main under forced TTY + NO_COLOR settings to test colored output.
.jules/sentinel.md	Documents the symlink vulnerability and proposed prevention guidance.

[Copilot]

main is imported at module import time. Other tests in this repo import main inside the test function to avoid import-time side effects (e.g., load_dotenv() / TTY-derived globals) during test collection. Please move the import main into the individual tests (or import check_env_permissions inside the tests) to keep collection side-effect free and reduce order-dependence.

[Copilot]

patch("sys.stderr.isatty", ...) / patch("sys.stdout.isatty", ...) is likely to raise AttributeError because sys.stderr/sys.stdout are typically io.TextIOWrapper instances that don’t allow setting arbitrary attributes (no instance __dict__). Patch sys.stderr/sys.stdout themselves with objects that implement isatty() (or patch main.USE_COLORS/main.Colors directly) to make this test reliable.

[Copilot]

This test mutates real filesystem permissions (chmod(0o777) / mode assertions) but doesn’t skip on Windows. On Windows, chmod semantics differ and symlink creation may require privileges, making this test flaky. Consider skipping on os.name == 'nt' (similar to the second test) or rewriting it to mock os.stat/os.chmod like tests/test_env_permissions.py does.

[Copilot]

There are unused imports here (stat, MagicMock) which can fail linting in CI and make the test harder to read. Please remove any imports that aren’t used.

Suggested change

	import stat
	import pytest
	from unittest.mock import MagicMock, patch
	import pytest
	from unittest.mock import patch

[Copilot]

There are unused imports here (stat, MagicMock) which can fail linting in CI and add noise. Please remove any imports that aren’t used.

Suggested change

	import stat
	import pytest
	from unittest.mock import MagicMock, patch
	import pytest
	from unittest.mock import patch

[Copilot]

The “Prevention” guidance suggests that os.open(..., O_CREAT|O_WRONLY|O_TRUNC) + os.chmod(fd) avoids TOCTOU/symlink attacks, but that isn’t sufficient unless symlink-following is explicitly prevented (e.g., O_NOFOLLOW where supported and/or fstat-based validation of a regular file). Please update this write-up to reflect the need for O_NOFOLLOW/fstat (and ideally os.fchmod) so the documented guidance matches the actual secure pattern.

Suggested change

**Prevention:** Always use `os.path.islink()` to check for symlinks before modifying file metadata or content if the path is user-controlled or in a writable directory. Use `os.open` with `O_CREAT | O_WRONLY | O_TRUNC` and `os.chmod(fd)` on the file descriptor to avoid race conditions (TOCTOU) and ensure operations apply to the file itself, not a symlink target.

**Prevention:** Treat any path in a user-writable location as attacker-controlled. `os.path.islink()` can be used as an initial guard, but it is not sufficient on its own because of TOCTOU races. For creating or overwriting files like `.env`, open them with `os.open` using `O_CREAT | O_WRONLY | O_TRUNC` combined with `O_NOFOLLOW` where supported, then use `os.fstat(fd)` to verify you actually opened a regular file (and not a symlink or special file), and finally call `os.fchmod(fd, 0o600)` (or your desired mode) on the file descriptor. This descriptor-based pattern avoids following symlinks and prevents race conditions between path resolution and permission changes.

[Copilot]

os.path.exists() follows symlinks, so a dangling .env symlink will return False and skip the new symlink warning entirely. Also, checking islink() and then later calling os.stat/os.chmod on the path is still vulnerable to a TOCTOU swap (symlink can be replaced after the check). Consider using os.path.lexists() and performing the symlink check before the existence check, and/or switching to an FD-based approach (e.g., os.open with O_NOFOLLOW where available + os.fstat/os.fchmod, or os.chmod(..., follow_symlinks=False) as a fallback) to ensure the target cannot be replaced between check and chmod.

[Copilot]

The symlink check happens only right before writing, but the function reads .env at the top via open('.env', 'r'), which still follows symlinks. If .env is a symlink, this will read the target file (unexpected and potentially sensitive) before aborting. Move the symlink check (and ideally a regular-file check) before any read of .env.

[Copilot]

os.path.islink() alone doesn’t prevent a race: an attacker can swap .env to a symlink between the check and os.open(..., O_TRUNC), still allowing overwrite of an arbitrary target. To actually prevent symlink-following, include O_NOFOLLOW when available (via getattr(os, 'O_NOFOLLOW', 0)) and/or validate os.fstat(fd) is a regular file before writing; also prefer os.fchmod(fd, mode) over os.chmod(fd, mode) for clarity/portability on POSIX.

Suggested change

	flags = os.O_WRONLY | os.O_CREAT | os.O_TRUNC
	mode = stat.S_IRUSR | stat.S_IWUSR # 0o600
	fd = os.open('.env', flags, mode)
	with os.fdopen(fd, 'w') as f:
	f.write(new_content)
	# Enforce permissions on the file descriptor directly (safe against race conditions)
	if os.name != 'nt':
	os.chmod(fd, mode)
	# Include O_NOFOLLOW when available to prevent following symlinks at open-time
	flags = os.O_WRONLY | os.O_CREAT | os.O_TRUNC | getattr(os, 'O_NOFOLLOW', 0)
	mode = stat.S_IRUSR | stat.S_IWUSR # 0o600
	fd = os.open('.env', flags, mode)
	# Additional safety: verify the opened target is a regular file, not a symlink/device/FIFO
	st = os.fstat(fd)
	if not stat.S_ISREG(st.st_mode):
	# Avoid writing to anything that isn't a normal file
	os.close(fd)
	print("Security Warning: .env is not a regular file. Aborting write.")
	return
	with os.fdopen(fd, 'w') as f:
	f.write(new_content)
	# Enforce permissions on the file descriptor directly (safe against race conditions)
	if os.name != 'nt' and hasattr(os, 'fchmod'):
	os.fchmod(fd, mode)

[Copilot]

This import of module main is redundant, as it was previously imported on line 8.

Suggested change

	# Robust reload: handle case where main module reference is stale
	if "main" in sys.modules:
	importlib.reload(sys.modules["main"])
	else:
	import main
	importlib.reload(main)
	# Reload main so that the Colors configuration is recomputed
	importlib.reload(main)

[gemini-code-assist]

Code Review

This pull request introduces crucial security enhancements by addressing symlink vulnerabilities in .env file handling. The changes correctly implement os.path.islink checks before file operations and utilize os.open with file descriptor-based chmod to prevent Time-of-check to Time-of-use (TOCTOU) race conditions. The accompanying tests are comprehensive, covering both symlink skipping and secure file creation/permission setting. The documentation in sentinel.md is also updated to reflect this vulnerability and its prevention.

[gemini-code-assist]

This os.path.islink check is a critical security measure to prevent attackers from manipulating .env to point to sensitive system files. Excellent addition.

[gemini-code-assist]

The use of os.open with O_CREAT | O_WRONLY | O_TRUNC and subsequent os.chmod(fd, mode) is a robust way to prevent TOCTOU race conditions. This ensures that the file is created with the correct permissions atomically and that operations are performed on the intended file, not a symlink target. This is a significant security improvement.

[gemini-code-assist]

Adding the os.path.islink check here is essential to prevent check_env_permissions from inadvertently modifying permissions of a symlinked system file. This directly addresses the described vulnerability.

[gemini-code-assist]

This test effectively verifies that check_env_permissions correctly handles symlinks by skipping permission modification and logging a warning. It's a well-structured test for the security fix.

[gemini-code-assist]

This test ensures that check_env_permissions correctly applies the secure 600 permissions to regular files, complementing the symlink handling test.

[gemini-code-assist]

The assertion for the warning message can be made more concise and readable using mock_print.assert_any_call. This directly checks if the expected warning message was printed.

Suggested change

	assert mock_print.called
	found = False
	for call_args in mock_print.call_args_list:
	msg = call_args[0][0]
	if "Security Warning" in msg and "symlink" in msg:
	found = True
	break
	assert found, "Warning about symlink not found"
	mock_print.assert_any_call("Security Warning: .env is a symlink. Aborting to avoid overwriting target.")

[gemini-code-assist]

Since import main is already present at the top of the file, sys.modules["main"] will always exist. The if/else block can be simplified to just importlib.reload(sys.modules["main"]) for better readability.

            importlib.reload(sys.modules["main"])

[github-actions]

👋 Development Partner is reviewing this PR. Will provide feedback shortly.