core/go
8
0
Fork 0
generated from lthn/LEM
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions 4

fix(io/local): resolve symlinks on sandbox root #10

Merged
Snider merged 1 commit from fix/macos-sandbox-symlink into dev 2026-02-19 14:22:28 +00:00
Conversation 0 Commits 1 Files changed 2 +10 -1
Virgil commented 2026-02-19 14:21:47 +00:00
Member
Copy link

Summary

  • Resolves symlinks on the sandbox root path in New() via filepath.EvalSymlinks
  • Fixes false SECURITY sandbox escape detected warnings on macOS where /var/private/var
  • Updates TestNew to compare against resolved paths

Root Cause

New() stored the unresolved root (/var/folders/...) but validatePath() resolved child paths to /private/var/folders/.... The filepath.Rel() check then produced .. prefixes, triggering false sandbox escape detections on every file operation.

Test plan

  • go test ./pkg/io/local/ passes on macOS (all 28 tests)
  • Symlink escape detection still works (TestValidatePath_Security)
  • Full suite green: go test ./...

🤖 Generated with Claude Code

## Summary - Resolves symlinks on the sandbox root path in `New()` via `filepath.EvalSymlinks` - Fixes false `SECURITY sandbox escape detected` warnings on macOS where `/var` → `/private/var` - Updates `TestNew` to compare against resolved paths ## Root Cause `New()` stored the unresolved root (`/var/folders/...`) but `validatePath()` resolved child paths to `/private/var/folders/...`. The `filepath.Rel()` check then produced `..` prefixes, triggering false sandbox escape detections on every file operation. ## Test plan - [x] `go test ./pkg/io/local/` passes on macOS (all 28 tests) - [x] Symlink escape detection still works (`TestValidatePath_Security`) - [x] Full suite green: `go test ./...` 🤖 Generated with [Claude Code](https://claude.com/claude-code)
Virgil added 1 commit 2026-02-19 14:21:47 +00:00
fix(io/local): resolve symlinks on sandbox root to prevent false escape detection
Some checks are pending
Auto Merge / merge (pull_request) Waiting to run
Details
CI / qa (pull_request) Waiting to run
Details
Coverage / coverage (pull_request) Waiting to run
Details
PR Build / build (amd64, linux, ubuntu-latest) (pull_request) Waiting to run
Details
PR Build / draft-release (pull_request) Blocked by required conditions
Details
cbaa114bb2 
On macOS, /var is a symlink to /private/var. When New() stores the
unresolved root but validatePath() resolves child paths via EvalSymlinks,
the mismatch causes filepath.Rel to produce ".." prefixes — triggering
false SECURITY sandbox escape warnings on every file operation.

Fix: resolve symlinks on the root path in New() so both sides compare
like-for-like. Updates TestNew to compare against resolved paths.

Co-Authored-By: Virgil <virgil@lethean.io>
Snider merged commit 10f0ebaf22 into dev 2026-02-19 14:22:28 +00:00
Snider deleted branch fix/macos-sandbox-symlink 2026-02-19 14:22:28 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
  
athena

Assign to Athena AI agent (M3 Ultra)

  
athena-gemini

Dispatch to Gemini CLI on M3 Ultra

  
audit

Code audit task

  
clotho

Assign to Clotho AI agent for processing

  
clotho-gemini

Dispatch to Gemini CLI on darbs (AU)

  
codex

Dispatch to Codex CLI on gateway for analysis

  
darbs-claude

Dispatch to Claude on darbs (AU)

  
security

Security review task

  
wiki

Documentation/wiki update

No labels
athena
athena-gemini
audit
clotho
clotho-gemini
codex
darbs-claude
security
wiki
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: core/go#10
No description provided.
Delete branch "fix/macos-sandbox-symlink"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?