fix(opencode): reject path traversal in remote skill discovery#36364
fix(opencode): reject path traversal in remote skill discovery#363641837620622 wants to merge 2 commits into
Conversation
Validate skill.name and files from remote skill indexes before writing into the local cache. Align with packages/core skill discovery so a hostile index cannot escape the skills cache or fetch cross-origin resources.
|
Thanks for your contribution! This PR doesn't have a linked issue. All PRs must reference an existing issue. Please:
See CONTRIBUTING.md for details. |
|
The following comment was made by an LLM, it may be inaccurate: Potential duplicate found:
This PR appears related as it also addresses path traversal safety during skill discovery. You should verify if #35996 already covers the remote skill index scenario or if they address different aspects of skill discovery security. |
Review-readyHigh-confidence path-traversal fix for remote skill discovery (aligns with |
Keep the remote skill discovery path-traversal guards; only switch the section comment to English for upstream consistency.
|
Thanks for updating your PR! It now meets our contributing guidelines. 👍 |
|
Friendly review ping 🙏 Path-traversal hardening for remote skill discovery (hostile Happy to iterate if anything looks off. |
…e entries Addresses CodeRabbit review findings on the anomalyco#36364 port.
* fix(opencode): reject path traversal in remote skill discovery Ported from upstream anomalyco#36364. * fix(opencode): harden skill names against drive letters and log unsafe entries Addresses CodeRabbit review findings on the anomalyco#36364 port.
Issue for this PR
Closes #36365
Type of change
What does this PR do?
Remote skill indexes could supply
skill.name/fileswith.., absolute paths, or cross-origin URLs.packages/opencodewrote downloads viapath.joinwithout containment checks.Port the path safety checks already present in
packages/coreskill discovery (isSafeSegment,isSafeRelativePath, destination containment, same-origin URL checks). Add regression tests that assert hostile indexes do not fetch or write outside the skills cache.Not a duplicate of #35996 (that PR covers local symlink walks under
.claude/.agents; this covers remote index field validation).How did you verify your code works?
bun test --preload ./test/preload.ts test/skill/discovery.test.ts(hostile index cases included)Screenshots / recordings
N/A — non-UI
Checklist