🛡️ Sentinel: [HIGH] Fix symlink content leakage during sync#101
🛡️ Sentinel: [HIGH] Fix symlink content leakage during sync#101calionauta wants to merge 1 commit into
Conversation
Hardened file copy operations across the codebase to prevent symbolic link traversal. By default, `shutil` operations follow links, which could allow sensitive files outside the intended scope (like SSH keys) to be read and published to a backup repository if a user-controlled directory contained a malicious symlink. Changes: - Updated `shutil.copytree` to use `symlinks=True` - Updated `shutil.copy2` to use `follow_symlinks=False` - Applied hardening to `sync.py`, `git_publish.py`, `skills.py`, `safe_fallback.py`, and `skills_reconcile.py` - Added security regression test in `tests/test_security.py` - Recorded learning in `.jules/sentinel.md` Co-authored-by: renatocaliari <1719651+renatocaliari@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
There was a problem hiding this comment.
Code Review
This pull request addresses a symlink content leakage vulnerability during file sync operations by configuring shutil.copytree with symlinks=True and shutil.copy2 with follow_symlinks=False across various modules, alongside adding a corresponding security test. However, the reviewer identified a critical security issue: pathlib.Path.is_dir() returns True for symbolic links pointing to directories, meaning shutil.copytree would still traverse these links and copy their contents. The reviewer recommends checking is_symlink() first to ensure symlinks are correctly preserved.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| if item.is_dir(): | ||
| shutil.copytree(item, dest) | ||
| shutil.copytree(item, dest, symlinks=True) | ||
| else: | ||
| shutil.copy2(item, dest) | ||
| shutil.copy2(item, dest, follow_symlinks=False) |
There was a problem hiding this comment.
In Python, pathlib.Path.is_dir() returns True for symbolic links pointing to directories. When shutil.copytree is called on a symbolic link pointing to a directory, it will traverse the link and copy the entire directory's contents instead of preserving the symlink itself. This bypasses the intended security fix and leads to directory content leakage. To prevent this, check is_symlink() first and copy it using shutil.copy2(..., follow_symlinks=False).
| if item.is_dir(): | |
| shutil.copytree(item, dest) | |
| shutil.copytree(item, dest, symlinks=True) | |
| else: | |
| shutil.copy2(item, dest) | |
| shutil.copy2(item, dest, follow_symlinks=False) | |
| if item.is_symlink(): | |
| shutil.copy2(item, dest, follow_symlinks=False) | |
| elif item.is_dir(): | |
| shutil.copytree(item, dest, symlinks=True) | |
| else: | |
| shutil.copy2(item, dest, follow_symlinks=False) |
| if item.is_dir(): | ||
| shutil.copytree(item, dest) | ||
| shutil.copytree(item, dest, symlinks=True) | ||
| else: | ||
| shutil.copy2(item, dest) | ||
| shutil.copy2(item, dest, follow_symlinks=False) |
There was a problem hiding this comment.
In Python, pathlib.Path.is_dir() returns True for symbolic links pointing to directories. When shutil.copytree is called on a symbolic link pointing to a directory, it will traverse the link and copy the entire directory's contents instead of preserving the symlink itself. This bypasses the intended security fix and leads to directory content leakage. To prevent this, check is_symlink() first and copy it using shutil.copy2(..., follow_symlinks=False).
| if item.is_dir(): | |
| shutil.copytree(item, dest) | |
| shutil.copytree(item, dest, symlinks=True) | |
| else: | |
| shutil.copy2(item, dest) | |
| shutil.copy2(item, dest, follow_symlinks=False) | |
| if item.is_symlink(): | |
| shutil.copy2(item, dest, follow_symlinks=False) | |
| elif item.is_dir(): | |
| shutil.copytree(item, dest, symlinks=True) | |
| else: | |
| shutil.copy2(item, dest, follow_symlinks=False) |
| if src_path.is_dir(): | ||
| shutil.copytree(src_path, dest, dirs_exist_ok=True, | ||
| ignore=_ignore_func(*DEFAULT_IGNORE_PATTERNS)) | ||
| ignore=_ignore_func(*DEFAULT_IGNORE_PATTERNS), symlinks=True) | ||
| else: | ||
| dest.parent.mkdir(parents=True, exist_ok=True) | ||
| shutil.copy2(src_path, dest) | ||
| shutil.copy2(src_path, dest, follow_symlinks=False) |
There was a problem hiding this comment.
In Python, pathlib.Path.is_dir() returns True for symbolic links pointing to directories. When shutil.copytree is called on a symbolic link pointing to a directory, it will traverse the link and copy the entire directory's contents instead of preserving the symlink itself. This bypasses the intended security fix and leads to directory content leakage. To prevent this, check is_symlink() first and copy it using shutil.copy2(..., follow_symlinks=False).
| if src_path.is_dir(): | |
| shutil.copytree(src_path, dest, dirs_exist_ok=True, | |
| ignore=_ignore_func(*DEFAULT_IGNORE_PATTERNS)) | |
| ignore=_ignore_func(*DEFAULT_IGNORE_PATTERNS), symlinks=True) | |
| else: | |
| dest.parent.mkdir(parents=True, exist_ok=True) | |
| shutil.copy2(src_path, dest) | |
| shutil.copy2(src_path, dest, follow_symlinks=False) | |
| if src_path.is_symlink(): | |
| dest.parent.mkdir(parents=True, exist_ok=True) | |
| shutil.copy2(src_path, dest, follow_symlinks=False) | |
| elif src_path.is_dir(): | |
| shutil.copytree(src_path, dest, dirs_exist_ok=True, | |
| ignore=_ignore_func(*DEFAULT_IGNORE_PATTERNS), symlinks=True) | |
| else: | |
| dest.parent.mkdir(parents=True, exist_ok=True) | |
| shutil.copy2(src_path, dest, follow_symlinks=False) |
| if item.is_dir(): | ||
| if not dry_run: | ||
| shutil.copytree(item, dest) | ||
| shutil.copytree(item, dest, symlinks=True) | ||
| synced += 1 | ||
| elif item.is_file(): | ||
| # Copy non-directory entries (e.g. RETIRED.md manifest). | ||
| # These are metadata files that restore the retirement | ||
| # state on a fresh machine. | ||
| if not dry_run: | ||
| shutil.copy2(item, dest) | ||
| shutil.copy2(item, dest, follow_symlinks=False) | ||
| synced += 1 |
There was a problem hiding this comment.
In Python, pathlib.Path.is_dir() returns True for symbolic links pointing to directories. When shutil.copytree is called on a symbolic link pointing to a directory, it will traverse the link and copy the entire directory's contents instead of preserving the symlink itself. This bypasses the intended security fix and leads to directory content leakage. To prevent this, check is_symlink() first and copy it using shutil.copy2(..., follow_symlinks=False).
| if item.is_dir(): | |
| if not dry_run: | |
| shutil.copytree(item, dest) | |
| shutil.copytree(item, dest, symlinks=True) | |
| synced += 1 | |
| elif item.is_file(): | |
| # Copy non-directory entries (e.g. RETIRED.md manifest). | |
| # These are metadata files that restore the retirement | |
| # state on a fresh machine. | |
| if not dry_run: | |
| shutil.copy2(item, dest) | |
| shutil.copy2(item, dest, follow_symlinks=False) | |
| synced += 1 | |
| if item.is_symlink(): | |
| if not dry_run: | |
| shutil.copy2(item, dest, follow_symlinks=False) | |
| synced += 1 | |
| elif item.is_dir(): | |
| if not dry_run: | |
| shutil.copytree(item, dest, symlinks=True) | |
| synced += 1 | |
| elif item.is_file(): | |
| # Copy non-directory entries (e.g. RETIRED.md manifest). | |
| # These are metadata files that restore the retirement | |
| # state on a fresh machine. | |
| if not dry_run: | |
| shutil.copy2(item, dest, follow_symlinks=False) | |
| synced += 1 |
| if move: | ||
| shutil.move(str(source_path), str(dest_path)) | ||
| else: | ||
| shutil.copytree(source_path, dest_path) | ||
| shutil.copytree(source_path, dest_path, symlinks=True) |
There was a problem hiding this comment.
In Python, pathlib.Path.is_dir() returns True for symbolic links pointing to directories. When shutil.copytree is called on a symbolic link pointing to a directory, it will traverse the link and copy the entire directory's contents instead of preserving the symlink itself. This bypasses the intended security fix and leads to directory content leakage. To prevent this, check is_symlink() first and copy it using shutil.copy2(..., follow_symlinks=False).
if move:
shutil.move(str(source_path), str(dest_path))
elif source_path.is_symlink():
shutil.copy2(source_path, dest_path, follow_symlinks=False)
else:
shutil.copytree(source_path, dest_path, symlinks=True)|
|
||
| if skill_dir.is_dir(): | ||
| shutil.copytree(skill_dir, dest) | ||
| shutil.copytree(skill_dir, dest, symlinks=True) |
There was a problem hiding this comment.
In Python, pathlib.Path.is_dir() returns True for symbolic links pointing to directories. When shutil.copytree is called on a symbolic link pointing to a directory, it will traverse the link and copy the entire directory's contents instead of preserving the symlink itself. This bypasses the intended security fix and leads to directory content leakage. To prevent this, check is_symlink() first and copy it using shutil.copy2(..., follow_symlinks=False).
| shutil.copytree(skill_dir, dest, symlinks=True) | |
| if skill_dir.is_symlink(): | |
| shutil.copy2(skill_dir, dest, follow_symlinks=False) | |
| else: | |
| shutil.copytree(skill_dir, dest, symlinks=True) |
| if item.is_dir(): | ||
| shutil.copytree(item, dest, dirs_exist_ok=True, ignore=shutil.ignore_patterns('.git')) | ||
| shutil.copytree(item, dest, dirs_exist_ok=True, ignore=shutil.ignore_patterns('.git'), symlinks=True) | ||
| else: | ||
| shutil.copy2(item, dest) | ||
| shutil.copy2(item, dest, follow_symlinks=False) |
There was a problem hiding this comment.
In Python, pathlib.Path.is_dir() returns True for symbolic links pointing to directories. When shutil.copytree is called on a symbolic link pointing to a directory, it will traverse the link and copy the entire directory's contents instead of preserving the symlink itself. This bypasses the intended security fix and leads to directory content leakage. To prevent this, check is_symlink() first and copy it using shutil.copy2(..., follow_symlinks=False).
| if item.is_dir(): | |
| shutil.copytree(item, dest, dirs_exist_ok=True, ignore=shutil.ignore_patterns('.git')) | |
| shutil.copytree(item, dest, dirs_exist_ok=True, ignore=shutil.ignore_patterns('.git'), symlinks=True) | |
| else: | |
| shutil.copy2(item, dest) | |
| shutil.copy2(item, dest, follow_symlinks=False) | |
| if item.is_symlink(): | |
| shutil.copy2(item, dest, follow_symlinks=False) | |
| elif item.is_dir(): | |
| shutil.copytree(item, dest, dirs_exist_ok=True, ignore=shutil.ignore_patterns('.git'), symlinks=True) | |
| else: | |
| shutil.copy2(item, dest, follow_symlinks=False) |
🛡️ Sentinel: [HIGH] Fix symlink content leakage during sync
🚨 Severity: HIGH
💡 Vulnerability:
The application's file synchronization and backup logic used default
shutil.copytreeandshutil.copy2calls which follow symbolic links. If a user-controlled directory (like a skill or agent configuration) contained a symlink pointing to a sensitive file outside that directory, the application would read and copy the content of the target file instead of the link itself.🎯 Impact:
This could lead to unauthorized information disclosure. Sensitive files such as SSH keys, environment files, or other credentials located anywhere on the user's filesystem could be inadvertently leaked into the synchronization repository (often a private or public GitHub repo).
🔧 Fix:
Hardened all
shutilcopy operations that handle user-provided or external directory structures:symlinks=Trueinshutil.copytree()to ensure links are preserved as links.follow_symlinks=Falseinshutil.copy2()to prevent traversing single-file links.sync.py,publish/git_publish.py,skills.py,centralize/safe_fallback.py, andskills_reconcile.py.✅ Verification:
test_shutil_preserves_symlinksintests/test_security.py.PR created automatically by Jules for task 704602133331055470 started by @renatocaliari