Skip to content

🛡️ Sentinel: [HIGH] Fix symlink content leakage during sync#101

Open
calionauta wants to merge 1 commit into
mainfrom
harden-symlink-handling-704602133331055470
Open

🛡️ Sentinel: [HIGH] Fix symlink content leakage during sync#101
calionauta wants to merge 1 commit into
mainfrom
harden-symlink-handling-704602133331055470

Conversation

@calionauta

Copy link
Copy Markdown
Owner

🛡️ Sentinel: [HIGH] Fix symlink content leakage during sync

🚨 Severity: HIGH

💡 Vulnerability:

The application's file synchronization and backup logic used default shutil.copytree and shutil.copy2 calls which follow symbolic links. If a user-controlled directory (like a skill or agent configuration) contained a symlink pointing to a sensitive file outside that directory, the application would read and copy the content of the target file instead of the link itself.

🎯 Impact:

This could lead to unauthorized information disclosure. Sensitive files such as SSH keys, environment files, or other credentials located anywhere on the user's filesystem could be inadvertently leaked into the synchronization repository (often a private or public GitHub repo).

🔧 Fix:

Hardened all shutil copy operations that handle user-provided or external directory structures:

  • Set symlinks=True in shutil.copytree() to ensure links are preserved as links.
  • Set follow_symlinks=False in shutil.copy2() to prevent traversing single-file links.
  • Consistent application across sync.py, publish/git_publish.py, skills.py, centralize/safe_fallback.py, and skills_reconcile.py.

✅ Verification:

  • Created a reproduction script that successfully leaked sensitive content before the fix and verified it is blocked after the fix.
  • Added a permanent security regression test test_shutil_preserves_symlinks in tests/test_security.py.
  • Ran the full test suite (551 tests passed).

PR created automatically by Jules for task 704602133331055470 started by @renatocaliari

Hardened file copy operations across the codebase to prevent symbolic link
traversal. By default, `shutil` operations follow links, which could allow
sensitive files outside the intended scope (like SSH keys) to be read and
published to a backup repository if a user-controlled directory contained
a malicious symlink.

Changes:
- Updated `shutil.copytree` to use `symlinks=True`
- Updated `shutil.copy2` to use `follow_symlinks=False`
- Applied hardening to `sync.py`, `git_publish.py`, `skills.py`,
  `safe_fallback.py`, and `skills_reconcile.py`
- Added security regression test in `tests/test_security.py`
- Recorded learning in `.jules/sentinel.md`

Co-authored-by: renatocaliari <1719651+renatocaliari@users.noreply.github.com>
@google-labs-jules

Copy link
Copy Markdown
Contributor

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.


For security, I will only act on instructions from the user who triggered this task.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request addresses a symlink content leakage vulnerability during file sync operations by configuring shutil.copytree with symlinks=True and shutil.copy2 with follow_symlinks=False across various modules, alongside adding a corresponding security test. However, the reviewer identified a critical security issue: pathlib.Path.is_dir() returns True for symbolic links pointing to directories, meaning shutil.copytree would still traverse these links and copy their contents. The reviewer recommends checking is_symlink() first to ensure symlinks are correctly preserved.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment on lines 69 to +72
if item.is_dir():
shutil.copytree(item, dest)
shutil.copytree(item, dest, symlinks=True)
else:
shutil.copy2(item, dest)
shutil.copy2(item, dest, follow_symlinks=False)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

In Python, pathlib.Path.is_dir() returns True for symbolic links pointing to directories. When shutil.copytree is called on a symbolic link pointing to a directory, it will traverse the link and copy the entire directory's contents instead of preserving the symlink itself. This bypasses the intended security fix and leads to directory content leakage. To prevent this, check is_symlink() first and copy it using shutil.copy2(..., follow_symlinks=False).

Suggested change
if item.is_dir():
shutil.copytree(item, dest)
shutil.copytree(item, dest, symlinks=True)
else:
shutil.copy2(item, dest)
shutil.copy2(item, dest, follow_symlinks=False)
if item.is_symlink():
shutil.copy2(item, dest, follow_symlinks=False)
elif item.is_dir():
shutil.copytree(item, dest, symlinks=True)
else:
shutil.copy2(item, dest, follow_symlinks=False)

Comment on lines 123 to +126
if item.is_dir():
shutil.copytree(item, dest)
shutil.copytree(item, dest, symlinks=True)
else:
shutil.copy2(item, dest)
shutil.copy2(item, dest, follow_symlinks=False)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

In Python, pathlib.Path.is_dir() returns True for symbolic links pointing to directories. When shutil.copytree is called on a symbolic link pointing to a directory, it will traverse the link and copy the entire directory's contents instead of preserving the symlink itself. This bypasses the intended security fix and leads to directory content leakage. To prevent this, check is_symlink() first and copy it using shutil.copy2(..., follow_symlinks=False).

Suggested change
if item.is_dir():
shutil.copytree(item, dest)
shutil.copytree(item, dest, symlinks=True)
else:
shutil.copy2(item, dest)
shutil.copy2(item, dest, follow_symlinks=False)
if item.is_symlink():
shutil.copy2(item, dest, follow_symlinks=False)
elif item.is_dir():
shutil.copytree(item, dest, symlinks=True)
else:
shutil.copy2(item, dest, follow_symlinks=False)

Comment on lines 93 to +98
if src_path.is_dir():
shutil.copytree(src_path, dest, dirs_exist_ok=True,
ignore=_ignore_func(*DEFAULT_IGNORE_PATTERNS))
ignore=_ignore_func(*DEFAULT_IGNORE_PATTERNS), symlinks=True)
else:
dest.parent.mkdir(parents=True, exist_ok=True)
shutil.copy2(src_path, dest)
shutil.copy2(src_path, dest, follow_symlinks=False)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

In Python, pathlib.Path.is_dir() returns True for symbolic links pointing to directories. When shutil.copytree is called on a symbolic link pointing to a directory, it will traverse the link and copy the entire directory's contents instead of preserving the symlink itself. This bypasses the intended security fix and leads to directory content leakage. To prevent this, check is_symlink() first and copy it using shutil.copy2(..., follow_symlinks=False).

Suggested change
if src_path.is_dir():
shutil.copytree(src_path, dest, dirs_exist_ok=True,
ignore=_ignore_func(*DEFAULT_IGNORE_PATTERNS))
ignore=_ignore_func(*DEFAULT_IGNORE_PATTERNS), symlinks=True)
else:
dest.parent.mkdir(parents=True, exist_ok=True)
shutil.copy2(src_path, dest)
shutil.copy2(src_path, dest, follow_symlinks=False)
if src_path.is_symlink():
dest.parent.mkdir(parents=True, exist_ok=True)
shutil.copy2(src_path, dest, follow_symlinks=False)
elif src_path.is_dir():
shutil.copytree(src_path, dest, dirs_exist_ok=True,
ignore=_ignore_func(*DEFAULT_IGNORE_PATTERNS), symlinks=True)
else:
dest.parent.mkdir(parents=True, exist_ok=True)
shutil.copy2(src_path, dest, follow_symlinks=False)

Comment thread src/agent_sync/skills.py
Comment on lines 514 to 524
if item.is_dir():
if not dry_run:
shutil.copytree(item, dest)
shutil.copytree(item, dest, symlinks=True)
synced += 1
elif item.is_file():
# Copy non-directory entries (e.g. RETIRED.md manifest).
# These are metadata files that restore the retirement
# state on a fresh machine.
if not dry_run:
shutil.copy2(item, dest)
shutil.copy2(item, dest, follow_symlinks=False)
synced += 1

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

In Python, pathlib.Path.is_dir() returns True for symbolic links pointing to directories. When shutil.copytree is called on a symbolic link pointing to a directory, it will traverse the link and copy the entire directory's contents instead of preserving the symlink itself. This bypasses the intended security fix and leads to directory content leakage. To prevent this, check is_symlink() first and copy it using shutil.copy2(..., follow_symlinks=False).

Suggested change
if item.is_dir():
if not dry_run:
shutil.copytree(item, dest)
shutil.copytree(item, dest, symlinks=True)
synced += 1
elif item.is_file():
# Copy non-directory entries (e.g. RETIRED.md manifest).
# These are metadata files that restore the retirement
# state on a fresh machine.
if not dry_run:
shutil.copy2(item, dest)
shutil.copy2(item, dest, follow_symlinks=False)
synced += 1
if item.is_symlink():
if not dry_run:
shutil.copy2(item, dest, follow_symlinks=False)
synced += 1
elif item.is_dir():
if not dry_run:
shutil.copytree(item, dest, symlinks=True)
synced += 1
elif item.is_file():
# Copy non-directory entries (e.g. RETIRED.md manifest).
# These are metadata files that restore the retirement
# state on a fresh machine.
if not dry_run:
shutil.copy2(item, dest, follow_symlinks=False)
synced += 1

Comment thread src/agent_sync/skills.py
Comment on lines 764 to +767
if move:
shutil.move(str(source_path), str(dest_path))
else:
shutil.copytree(source_path, dest_path)
shutil.copytree(source_path, dest_path, symlinks=True)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

In Python, pathlib.Path.is_dir() returns True for symbolic links pointing to directories. When shutil.copytree is called on a symbolic link pointing to a directory, it will traverse the link and copy the entire directory's contents instead of preserving the symlink itself. This bypasses the intended security fix and leads to directory content leakage. To prevent this, check is_symlink() first and copy it using shutil.copy2(..., follow_symlinks=False).

                            if move:
                                shutil.move(str(source_path), str(dest_path))
                            elif source_path.is_symlink():
                                shutil.copy2(source_path, dest_path, follow_symlinks=False)
                            else:
                                shutil.copytree(source_path, dest_path, symlinks=True)

Comment thread src/agent_sync/skills.py

if skill_dir.is_dir():
shutil.copytree(skill_dir, dest)
shutil.copytree(skill_dir, dest, symlinks=True)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

In Python, pathlib.Path.is_dir() returns True for symbolic links pointing to directories. When shutil.copytree is called on a symbolic link pointing to a directory, it will traverse the link and copy the entire directory's contents instead of preserving the symlink itself. This bypasses the intended security fix and leads to directory content leakage. To prevent this, check is_symlink() first and copy it using shutil.copy2(..., follow_symlinks=False).

Suggested change
shutil.copytree(skill_dir, dest, symlinks=True)
if skill_dir.is_symlink():
shutil.copy2(skill_dir, dest, follow_symlinks=False)
else:
shutil.copytree(skill_dir, dest, symlinks=True)

Comment thread src/agent_sync/sync.py
Comment on lines 1718 to +1721
if item.is_dir():
shutil.copytree(item, dest, dirs_exist_ok=True, ignore=shutil.ignore_patterns('.git'))
shutil.copytree(item, dest, dirs_exist_ok=True, ignore=shutil.ignore_patterns('.git'), symlinks=True)
else:
shutil.copy2(item, dest)
shutil.copy2(item, dest, follow_symlinks=False)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

In Python, pathlib.Path.is_dir() returns True for symbolic links pointing to directories. When shutil.copytree is called on a symbolic link pointing to a directory, it will traverse the link and copy the entire directory's contents instead of preserving the symlink itself. This bypasses the intended security fix and leads to directory content leakage. To prevent this, check is_symlink() first and copy it using shutil.copy2(..., follow_symlinks=False).

Suggested change
if item.is_dir():
shutil.copytree(item, dest, dirs_exist_ok=True, ignore=shutil.ignore_patterns('.git'))
shutil.copytree(item, dest, dirs_exist_ok=True, ignore=shutil.ignore_patterns('.git'), symlinks=True)
else:
shutil.copy2(item, dest)
shutil.copy2(item, dest, follow_symlinks=False)
if item.is_symlink():
shutil.copy2(item, dest, follow_symlinks=False)
elif item.is_dir():
shutil.copytree(item, dest, dirs_exist_ok=True, ignore=shutil.ignore_patterns('.git'), symlinks=True)
else:
shutil.copy2(item, dest, follow_symlinks=False)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant