Skip to content

fix: resolve 4 critical security vulnerabilities (P0)#336

Merged
ajianaz merged 2 commits into
developfrom
fix/p0-critical-security
Jul 2, 2026
Merged

fix: resolve 4 critical security vulnerabilities (P0)#336
ajianaz merged 2 commits into
developfrom
fix/p0-critical-security

Conversation

@ajianaz

@ajianaz ajianaz commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

Summary

Fixes 4 critical security vulnerabilities (P0) identified in the codebase.

Fix #32 — Command injection via `` (commit_cmd.rs)

The commit command was constructing a shell string with and interpolating the environment variable directly, allowing shell injection.
Fix: Parse into program + args using whitespace splitting, then invoke via — no shell involved. Handles editors with flags like or .

Fix #61 — Path traversal in JS/TS import resolver (resolver.rs)

The JS/TS import resolver stripped and prefixes manually then joined with project root, which could be bypassed with path traversal sequences.
Fix: Added helper that canonicalizes paths and verifies containment within the canonicalized project root. Applied to the JS/TS import resolution path.

Fix #62 — Path traversal in symbol resolver (resolver.rs)

accepted and read files via without validation, allowing reads outside the project directory.
Fix: Used in , test file resolution, and to prevent reading files outside the project root. Paths that escape the project directory are logged and skipped.

Fix #91 — API key file written before chmod (TOCTOU race) (loader.rs)

The API key was written to disk with default permissions, then chmod'd to 0o600 — creating a window where the file was readable by other users.
Fix: On Unix, create the file with from the start, eliminating the TOCTOU race. Non-Unix platforms get a best-effort fallback with a comment.

Testing

  • All 609 tests pass (587 unit + 16 CLI + 6 config integration)
  • cargo fmt applied
  • No new warnings introduced

References

Closes #332

ajianaz added 2 commits July 2, 2026 11:38
- Fix #32: Command injection via  in commit_cmd.rs
  Replace sh -c shell execution with direct Command::new(program).args(args)
  to prevent shell injection through EDITOR env variable.

- Fix #61: Path traversal in JS/TS import resolver
  Add safe_join() helper that canonicalizes paths and verifies containment
  within project root. Apply to JS/TS import resolution and all other
  project_root.join() calls involving user-controlled paths.

- Fix #62: Path traversal in symbol resolver
  Use safe_join() in resolve_symbols, test file resolution, and
  read_entry_content to prevent reading files outside project root.

- Fix #91: API key file written before chmod (TOCTOU race)
  Create file with 0o600 permissions from the start using OpenOptionsExt
  on Unix, eliminating the window between write and chmod.

Closes #332
@ajianaz ajianaz merged commit 2536981 into develop Jul 2, 2026
10 checks passed
@ajianaz ajianaz deleted the fix/p0-critical-security branch July 2, 2026 04:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

P0: Fix 4 critical security vulnerabilities Enhancement: Add branding footer to PR review comments

1 participant