fix(io/local): resolve symlinks on sandbox root #10

Merged
Snider merged 1 commit from fix/macos-sandbox-symlink into dev 2026-02-19 14:22:28 +00:00
Member

Summary

  • Resolves symlinks on the sandbox root path in New() via filepath.EvalSymlinks
  • Fixes false SECURITY sandbox escape detected warnings on macOS where /var/private/var
  • Updates TestNew to compare against resolved paths

Root Cause

New() stored the unresolved root (/var/folders/...) but validatePath() resolved child paths to /private/var/folders/.... The filepath.Rel() check then produced .. prefixes, triggering false sandbox escape detections on every file operation.

Test plan

  • go test ./pkg/io/local/ passes on macOS (all 28 tests)
  • Symlink escape detection still works (TestValidatePath_Security)
  • Full suite green: go test ./...

🤖 Generated with Claude Code

## Summary - Resolves symlinks on the sandbox root path in `New()` via `filepath.EvalSymlinks` - Fixes false `SECURITY sandbox escape detected` warnings on macOS where `/var` → `/private/var` - Updates `TestNew` to compare against resolved paths ## Root Cause `New()` stored the unresolved root (`/var/folders/...`) but `validatePath()` resolved child paths to `/private/var/folders/...`. The `filepath.Rel()` check then produced `..` prefixes, triggering false sandbox escape detections on every file operation. ## Test plan - [x] `go test ./pkg/io/local/` passes on macOS (all 28 tests) - [x] Symlink escape detection still works (`TestValidatePath_Security`) - [x] Full suite green: `go test ./...` 🤖 Generated with [Claude Code](https://claude.com/claude-code)
Virgil added 1 commit 2026-02-19 14:21:47 +00:00
fix(io/local): resolve symlinks on sandbox root to prevent false escape detection
Some checks are pending
Auto Merge / merge (pull_request) Waiting to run
CI / qa (pull_request) Waiting to run
Coverage / coverage (pull_request) Waiting to run
PR Build / build (amd64, linux, ubuntu-latest) (pull_request) Waiting to run
PR Build / draft-release (pull_request) Blocked by required conditions
cbaa114bb2
On macOS, /var is a symlink to /private/var. When New() stores the
unresolved root but validatePath() resolves child paths via EvalSymlinks,
the mismatch causes filepath.Rel to produce ".." prefixes — triggering
false SECURITY sandbox escape warnings on every file operation.

Fix: resolve symlinks on the root path in New() so both sides compare
like-for-like. Updates TestNew to compare against resolved paths.

Co-Authored-By: Virgil <virgil@lethean.io>
Snider merged commit 10f0ebaf22 into dev 2026-02-19 14:22:28 +00:00
Snider deleted branch fix/macos-sandbox-symlink 2026-02-19 14:22:28 +00:00
Sign in to join this conversation.
No description provided.