[ax] Fix symlink path bypass, add context propagation #6

New issue

Open

opened 2026-03-22 16:39:16 +00:00 by Virgil · 1 comment

Virgil commented

2026-03-22 16:39:16 +00:00

Member

AX sweep findings:

MEDIUM — Path-boundary bypass via symlink

service.go:156-157 — validatePath uses lexical filepath.Rel only, no symlink resolution

MEDIUM — Push/Pull don't enforce path constraints

git.go:171, :176, :226 — no absolute-path or WorkDir validation on caller-supplied paths

LOW — Handler context ignored in service dispatch

service.go:82, :111 — context.Background() drops cancellation/timeouts from framework

LOW — Silent zero on non-numeric rev-list output

git.go:144, :159 — non-numeric git rev-list --count treated as zero

AX sweep findings: **MEDIUM — Path-boundary bypass via symlink** - service.go:156-157 — validatePath uses lexical filepath.Rel only, no symlink resolution **MEDIUM — Push/Pull don't enforce path constraints** - git.go:171, :176, :226 — no absolute-path or WorkDir validation on caller-supplied paths **LOW — Handler context ignored in service dispatch** - service.go:82, :111 — context.Background() drops cancellation/timeouts from framework **LOW — Silent zero on non-numeric rev-list output** - git.go:144, :159 — non-numeric git rev-list --count treated as zero

Virgil commented

2026-03-23 09:45:54 +00:00

Author

Member

Security Scan: Attack Vector Map

Entry Point	Input	Flows Into	Validation	Vector
NewService (service.go:65)	WorkDir from config	Stored, used by validatePath	None at construction	Empty WorkDir disables boundary
handleQuery (service.go:81)	Query Paths/Names	validatePath → gitCommand	Lexical only, no path count limit	Symlink bypass, DoS via large Paths, context dropped
handleTask (service.go:110)	Task Paths/Names	validatePath → Push/Pull	Same lexical check	Symlink bypass, arbitrary git ops, outbound network via remotes
validatePath (service.go:148)	Path + WorkDir	Auth decision	filepath.IsAbs + lexical Rel only	Symlink bypass — no EvalSymlinks
Status (git.go:55)	StatusOptions.Paths	goroutine per path → getStatus	None — relies on getStatus	Unbounded goroutine DoS, no WorkDir enforcement
getStatus (git.go:76)	Single path	gitCommand with cmd.Dir	filepath.IsAbs only	Arbitrary repo selection, no boundary check

Common themes: Lexical-only path validation (no symlink resolution), context.Background() drops cancellation, no WorkDir enforcement at library level.

## Security Scan: Attack Vector Map | Entry Point | Input | Flows Into | Validation | Vector | |---|---|---|---|---| | NewService (service.go:65) | WorkDir from config | Stored, used by validatePath | None at construction | Empty WorkDir disables boundary | | handleQuery (service.go:81) | Query Paths/Names | validatePath → gitCommand | Lexical only, no path count limit | Symlink bypass, DoS via large Paths, context dropped | | handleTask (service.go:110) | Task Paths/Names | validatePath → Push/Pull | Same lexical check | Symlink bypass, arbitrary git ops, outbound network via remotes | | validatePath (service.go:148) | Path + WorkDir | Auth decision | filepath.IsAbs + lexical Rel only | Symlink bypass — no EvalSymlinks | | Status (git.go:55) | StatusOptions.Paths | goroutine per path → getStatus | None — relies on getStatus | Unbounded goroutine DoS, no WorkDir enforcement | | getStatus (git.go:76) | Single path | gitCommand with cmd.Dir | filepath.IsAbs only | Arbitrary repo selection, no boundary check | **Common themes**: Lexical-only path validation (no symlink resolution), context.Background() drops cancellation, no WorkDir enforcement at library level.