Fix critical skills path-remap root escape (including symlink traversal) (#367)

* Block skills path-remap escapes outside project root * Harden path remap against symlink-based root escape * test: isolate update tests from real git index
2026-02-22 17:10:45 -05:00
parent 264f855566
commit 856f98023c
4 changed files with 274 additions and 7 deletions
--- a/skills-engine/tests/apply.test.ts
+++ b/skills-engine/tests/apply.test.ts
@@ -11,6 +11,7 @@ import {
  initGitRepo,
  setupNanoclawDir,
 } from './test-helpers.js';
+import { readState, writeState } from '../state.js';

 describe('apply', () => {
  let tmpDir: string;
@@ -89,4 +90,68 @@ describe('apply', () => {
    // Added file should be cleaned up
    expect(fs.existsSync(path.join(tmpDir, 'src/added.ts'))).toBe(false);
  });
+
+  it('does not allow path_remap to write files outside project root', async () => {
+    const state = readState();
+    state.path_remap = { 'src/newfile.ts': '../../outside.txt' };
+    writeState(state);
+
+    const skillDir = createSkillPackage(tmpDir, {
+      skill: 'remap-escape',
+      version: '1.0.0',
+      core_version: '1.0.0',
+      adds: ['src/newfile.ts'],
+      modifies: [],
+      addFiles: { 'src/newfile.ts': 'safe content' },
+    });
+
+    const result = await applySkill(skillDir);
+    expect(result.success).toBe(true);
+
+    // Remap escape is ignored; file remains constrained inside project root.
+    expect(fs.existsSync(path.join(tmpDir, 'src/newfile.ts'))).toBe(true);
+    expect(fs.existsSync(path.join(tmpDir, '..', 'outside.txt'))).toBe(false);
+  });
+
+  it('does not allow path_remap symlink targets to write outside project root', async () => {
+    const outsideDir = fs.mkdtempSync(
+      path.join(path.dirname(tmpDir), 'nanoclaw-remap-outside-'),
+    );
+    const linkPath = path.join(tmpDir, 'link-out');
+
+    try {
+      fs.symlinkSync(outsideDir, linkPath);
+    } catch (err) {
+      const code = (err as NodeJS.ErrnoException).code;
+      if (code === 'EPERM' || code === 'EACCES' || code === 'ENOSYS') {
+        fs.rmSync(outsideDir, { recursive: true, force: true });
+        return;
+      }
+      fs.rmSync(outsideDir, { recursive: true, force: true });
+      throw err;
+    }
+
+    try {
+      const state = readState();
+      state.path_remap = { 'src/newfile.ts': 'link-out/pwned.txt' };
+      writeState(state);
+
+      const skillDir = createSkillPackage(tmpDir, {
+        skill: 'remap-symlink-escape',
+        version: '1.0.0',
+        core_version: '1.0.0',
+        adds: ['src/newfile.ts'],
+        modifies: [],
+        addFiles: { 'src/newfile.ts': 'safe content' },
+      });
+
+      const result = await applySkill(skillDir);
+      expect(result.success).toBe(true);
+
+      expect(fs.existsSync(path.join(tmpDir, 'src/newfile.ts'))).toBe(true);
+      expect(fs.existsSync(path.join(outsideDir, 'pwned.txt'))).toBe(false);
+    } finally {
+      fs.rmSync(outsideDir, { recursive: true, force: true });
+    }
+  });
 });