core/go
8
0
Fork 0
generated from lthn/LEM
Code Issues 5 Pull requests 1 Projects Releases Packages Wiki Activity Actions

fix(security): fix latent sandbox escape in IO.path()

Browse source 
filepath.Clean("/"+p) returns absolute path, filepath.Join(root, "/abs")
drops root on Linux. Strip leading "/" before joining with sandbox root.

Currently not exploitable (validatePath handles it), but any future
caller of path() with active sandbox would escape. Defensive fix.

Found by Gemini Pro security review.

Co-Authored-By: Virgil <virgil@lethean.io>
This commit is contained in:
Snider 2026-03-18 01:16:30 +00:00
parent 55cbfea7ca
commit dd6803df10
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
pkg/core/io.go
View file

@ -60,8 +60,8 @@ func (m *IO) path(p string) string {
return clean
}
// Join cleaned relative path with root
return filepath.Join(m.root, clean)
// Strip leading "/" so Join works correctly with root
return filepath.Join(m.root, clean[1:])
}
// validatePath ensures the path is within the sandbox, following symlinks if they exist.