🛡️ Sentinel: [HIGH] Fix data leakage and newline injection in publish flow#116
🛡️ Sentinel: [HIGH] Fix data leakage and newline injection in publish flow#116calionauta wants to merge 1 commit into
Conversation
… flow - Use fnmatch for robust file exclusion in git_publish.py - Use \Z instead of $ in skill name regex to prevent newline injection - Prevent symlink content leakage by preserving links during copy - Add security regression tests in tests/test_publish_security.py - Update .jules/sentinel.md with security learnings Co-authored-by: renatocaliari <1719651+renatocaliari@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
There was a problem hiding this comment.
Code Review
This pull request addresses critical security vulnerabilities in the publish flow, including preventing newline injection in skill name validation by using \Z instead of $, avoiding content leakage via symbolic links by configuring shutil.copytree and shutil.copy2 to not follow symlinks, and refactoring file exclusion logic to use fnmatch. The review feedback recommends handling case-insensitivity in the file exclusion logic to prevent case-variant bypasses on case-sensitive filesystems, and gracefully skipping the symlink security test on platforms where symlink creation is restricted.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| def _ignore(path, names): | ||
| ignored = [] | ||
| for name in names: | ||
| for pattern in patterns: | ||
| if pattern.startswith('*.'): | ||
| if name.endswith(pattern[1:]): | ||
| ignored.append(name) | ||
| break | ||
| elif pattern.startswith('.'): | ||
| if name == pattern or name.startswith(pattern.rstrip('/') + '/'): | ||
| ignored.append(name) | ||
| break | ||
| return ignored | ||
| for pattern in patterns: | ||
| # Use fnmatch.filter to robustly match patterns against names | ||
| matches = fnmatch.filter(names, pattern) | ||
| ignored.extend(matches) | ||
| return list(set(ignored)) |
There was a problem hiding this comment.
On case-sensitive filesystems (such as Linux and macOS), fnmatch.filter performs case-sensitive matching. This means sensitive directories or files named with different casing (e.g., SESSIONS, Cache, Ssh, or MODELS.JSON) will bypass the ignore filter and potentially leak sensitive user data to public repositories.
To prevent this security bypass, we should perform case-insensitive pattern matching by converting both the names and the patterns to lowercase and using fnmatch.fnmatchcase.
| def _ignore(path, names): | |
| ignored = [] | |
| for name in names: | |
| for pattern in patterns: | |
| if pattern.startswith('*.'): | |
| if name.endswith(pattern[1:]): | |
| ignored.append(name) | |
| break | |
| elif pattern.startswith('.'): | |
| if name == pattern or name.startswith(pattern.rstrip('/') + '/'): | |
| ignored.append(name) | |
| break | |
| return ignored | |
| for pattern in patterns: | |
| # Use fnmatch.filter to robustly match patterns against names | |
| matches = fnmatch.filter(names, pattern) | |
| ignored.extend(matches) | |
| return list(set(ignored)) | |
| def _ignore(path, names): | |
| ignored = [] | |
| for pattern in patterns: | |
| lower_pattern = pattern.lower() | |
| for name in names: | |
| if fnmatch.fnmatchcase(name.lower(), lower_pattern): | |
| ignored.append(name) | |
| return list(set(ignored)) |
| # Create a symlink inside src pointing to secret_file outside src | ||
| link = src / "link_to_secret" | ||
| link.symlink_to(secret_file) |
There was a problem hiding this comment.
On Windows platforms, creating symbolic links using symlink_to requires administrator privileges or Developer Mode to be enabled. If these are not present, the test will raise an OSError (e.g., [WinError 1314]), causing the test suite to fail.
To ensure the test suite remains robust and cross-platform, we should catch OSError during symlink creation and gracefully skip the test using pytest.skip.
| # Create a symlink inside src pointing to secret_file outside src | |
| link = src / "link_to_secret" | |
| link.symlink_to(secret_file) | |
| # Create a symlink inside src pointing to secret_file outside src | |
| link = src / "link_to_secret" | |
| try: | |
| link.symlink_to(secret_file) | |
| except OSError: | |
| pytest.skip("Symlinks are not supported or permitted on this platform") |
🚨 Severity: HIGH
💡 Vulnerability:
git_publish.pyfailed to ignore sensitive directories likesessions/andcache/.$anchor in regex).shutil.copytreeandshutil.copy2.🎯 Impact: Sensitive user data (sessions, cache, files outside the skill directory) could be accidentally published to public repositories. Maliciously crafted skill names could bypass validation.
🔧 Fix:
fnmatch.filterfor robust pattern-based file/directory exclusion.$with\Zin validation regexes.symlinks=True,follow_symlinks=False).✅ Verification: Created
tests/test_publish_security.pycovering all three cases. Ran full project test suite (569 tests passed).PR created automatically by Jules for task 18157133613721361602 started by @renatocaliari