Skip to content

🛡️ Sentinel: [HIGH] Fix data leakage and newline injection in publish flow#116

Open
calionauta wants to merge 1 commit into
mainfrom
sentinel-fix-publish-security-18157133613721361602
Open

🛡️ Sentinel: [HIGH] Fix data leakage and newline injection in publish flow#116
calionauta wants to merge 1 commit into
mainfrom
sentinel-fix-publish-security-18157133613721361602

Conversation

@calionauta

Copy link
Copy Markdown
Owner

🚨 Severity: HIGH
💡 Vulnerability:

  1. Brittle file exclusion logic in git_publish.py failed to ignore sensitive directories like sessions/ and cache/.
  2. Newline injection vulnerability in skill name validation ($ anchor in regex).
  3. Data leakage via symlink following in shutil.copytree and shutil.copy2.

🎯 Impact: Sensitive user data (sessions, cache, files outside the skill directory) could be accidentally published to public repositories. Maliciously crafted skill names could bypass validation.

🔧 Fix:

  1. Used fnmatch.filter for robust pattern-based file/directory exclusion.
  2. Replaced $ with \Z in validation regexes.
  3. Hardened copy operations by preserving symlinks (symlinks=True, follow_symlinks=False).

✅ Verification: Created tests/test_publish_security.py covering all three cases. Ran full project test suite (569 tests passed).


PR created automatically by Jules for task 18157133613721361602 started by @renatocaliari

… flow

- Use fnmatch for robust file exclusion in git_publish.py
- Use \Z instead of $ in skill name regex to prevent newline injection
- Prevent symlink content leakage by preserving links during copy
- Add security regression tests in tests/test_publish_security.py
- Update .jules/sentinel.md with security learnings

Co-authored-by: renatocaliari <1719651+renatocaliari@users.noreply.github.com>
@google-labs-jules

Copy link
Copy Markdown
Contributor

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.


For security, I will only act on instructions from the user who triggered this task.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request addresses critical security vulnerabilities in the publish flow, including preventing newline injection in skill name validation by using \Z instead of $, avoiding content leakage via symbolic links by configuring shutil.copytree and shutil.copy2 to not follow symlinks, and refactoring file exclusion logic to use fnmatch. The review feedback recommends handling case-insensitivity in the file exclusion logic to prevent case-variant bypasses on case-sensitive filesystems, and gracefully skipping the symlink security test on platforms where symlink creation is restricted.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment on lines 35 to +41
def _ignore(path, names):
ignored = []
for name in names:
for pattern in patterns:
if pattern.startswith('*.'):
if name.endswith(pattern[1:]):
ignored.append(name)
break
elif pattern.startswith('.'):
if name == pattern or name.startswith(pattern.rstrip('/') + '/'):
ignored.append(name)
break
return ignored
for pattern in patterns:
# Use fnmatch.filter to robustly match patterns against names
matches = fnmatch.filter(names, pattern)
ignored.extend(matches)
return list(set(ignored))

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

On case-sensitive filesystems (such as Linux and macOS), fnmatch.filter performs case-sensitive matching. This means sensitive directories or files named with different casing (e.g., SESSIONS, Cache, Ssh, or MODELS.JSON) will bypass the ignore filter and potentially leak sensitive user data to public repositories.

To prevent this security bypass, we should perform case-insensitive pattern matching by converting both the names and the patterns to lowercase and using fnmatch.fnmatchcase.

Suggested change
def _ignore(path, names):
ignored = []
for name in names:
for pattern in patterns:
if pattern.startswith('*.'):
if name.endswith(pattern[1:]):
ignored.append(name)
break
elif pattern.startswith('.'):
if name == pattern or name.startswith(pattern.rstrip('/') + '/'):
ignored.append(name)
break
return ignored
for pattern in patterns:
# Use fnmatch.filter to robustly match patterns against names
matches = fnmatch.filter(names, pattern)
ignored.extend(matches)
return list(set(ignored))
def _ignore(path, names):
ignored = []
for pattern in patterns:
lower_pattern = pattern.lower()
for name in names:
if fnmatch.fnmatchcase(name.lower(), lower_pattern):
ignored.append(name)
return list(set(ignored))

Comment on lines +42 to +44
# Create a symlink inside src pointing to secret_file outside src
link = src / "link_to_secret"
link.symlink_to(secret_file)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

On Windows platforms, creating symbolic links using symlink_to requires administrator privileges or Developer Mode to be enabled. If these are not present, the test will raise an OSError (e.g., [WinError 1314]), causing the test suite to fail.

To ensure the test suite remains robust and cross-platform, we should catch OSError during symlink creation and gracefully skip the test using pytest.skip.

Suggested change
# Create a symlink inside src pointing to secret_file outside src
link = src / "link_to_secret"
link.symlink_to(secret_file)
# Create a symlink inside src pointing to secret_file outside src
link = src / "link_to_secret"
try:
link.symlink_to(secret_file)
except OSError:
pytest.skip("Symlinks are not supported or permitted on this platform")

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant