🛡️ Sentinel: [HIGH] Fix regex newline injection and harden symlink handling#99
Conversation
…ndling 🚨 Severity: HIGH 💡 Vulnerability: Regex newline injection in skill name validation and insecure symlink following in file operations. 🎯 Impact: Trailing newlines could bypass validation, and symlinks could lead to sensitive file content leakage during sync/publish operations. 🔧 Fix: Used \Z anchor in regex patterns and disabled symlink following in shutil operations. ✅ Verification: Added regression tests in tests/test_security.py and verified full test suite passes. Co-authored-by: renatocaliari <1719651+renatocaliari@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
There was a problem hiding this comment.
Code Review
This pull request secures skill name validation against newline injection by using \Z in regular expressions and adds corresponding tests. It also modifies file copying operations to preserve symlinks. The reviewer advises against preserving symlinks (follow_symlinks=False and symlinks=True) because it can result in broken symlinks in published repositories or agent directories, and potentially leak local path structures. Reverting to copying the actual content of symlinked files is recommended.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| safe_name = agent_name.replace("/", "_").replace(" ", "_") | ||
| dest = agents_dir / f"{safe_name}.md" | ||
| shutil.copy2(Path(agent.path), dest) | ||
| shutil.copy2(Path(agent.path), dest, follow_symlinks=False) |
There was a problem hiding this comment.
Using follow_symlinks=False here will copy the symlink itself rather than the actual content of the agent file if agent.path is a symbolic link (e.g., if the user symlinks their agent files from a dotfiles repository). This results in a broken symlink in the published repository (since the target path is local to the publisher's machine) and leaks the publisher's local directory structure/username to the public repository.
Since the goal of publishing is to share the agent's actual content, we should follow symlinks to copy the file's content.
| shutil.copy2(Path(agent.path), dest, follow_symlinks=False) | |
| shutil.copy2(Path(agent.path), dest) |
| shutil.copytree(src_path, dest, dirs_exist_ok=True, | ||
| symlinks=True, | ||
| ignore=_ignore_func(*DEFAULT_IGNORE_PATTERNS)) |
There was a problem hiding this comment.
Using symlinks=True in shutil.copytree will copy symlinks as symlinks instead of copying their content. If a skill directory contains symlinks to other files (e.g., shared utilities or resources), copying them as symlinks will result in broken symlinks in the published repository (especially if they point to absolute paths or paths outside the skill directory). This breaks the published skills for other users and can leak local path structures.
We should follow symlinks (the default symlinks=False) to ensure all required content is physically copied and published.
shutil.copytree(src_path, dest, dirs_exist_ok=True,
ignore=_ignore_func(*DEFAULT_IGNORE_PATTERNS))| else: | ||
| dest.parent.mkdir(parents=True, exist_ok=True) | ||
| shutil.copy2(src_path, dest) | ||
| shutil.copy2(src_path, dest, follow_symlinks=False) |
There was a problem hiding this comment.
Using follow_symlinks=False when copying files for publishing will copy the symlink itself rather than the file's content if src_path is a symbolic link. This results in a broken symlink in the published repository and leaks the publisher's local directory structure. We should follow symlinks to ensure the actual content is published.
| shutil.copy2(src_path, dest, follow_symlinks=False) | |
| shutil.copy2(src_path, dest) |
| # Copy if doesn't exist | ||
| if skill_item.is_dir(): | ||
| shutil.copytree(skill_item, dest) | ||
| shutil.copytree(skill_item, dest, symlinks=True) |
There was a problem hiding this comment.
Using symlinks=True when distributing skills to all agents will copy symlinks as symlinks. If a skill contains relative symlinks, they will be broken in the agent's skills directory because the destination path is at a different location in the filesystem. We should follow symlinks to ensure the actual content is copied.
| shutil.copytree(skill_item, dest, symlinks=True) | |
| shutil.copytree(skill_item, dest) |
| shutil.copytree(skill_item, dest, symlinks=True) | ||
| else: | ||
| shutil.copy2(skill_item, dest) | ||
| shutil.copy2(skill_item, dest, follow_symlinks=False) |
There was a problem hiding this comment.
Using follow_symlinks=False here will copy the symlink itself rather than the file's content, which can result in broken symlinks in the agent's skills directory. We should follow symlinks to ensure the actual content is copied.
| shutil.copy2(skill_item, dest, follow_symlinks=False) | |
| shutil.copy2(skill_item, dest) |
This PR addresses two security concerns identified during an audit of the
publishandsyncflows:_is_valid_skill_namefunctions inlocal_source.pyandexternal_source.pyused the$anchor, which allows trailing newlines to pass validation. This has been updated to use\Zfor strict end-of-string matching.shutil.copytreeandshutil.copy2) were following symbolic links by default. This could lead to accidental inclusion of sensitive system files if a user-controlled directory contained malicious symlinks. These calls have been hardened withsymlinks=Trueandfollow_symlinks=False.Changes:
src/agent_sync/publish/local_source.pysrc/agent_sync/publish/external_source.pysrc/agent_sync/publish/git_publish.pysrc/agent_sync/publish/agents_source.pysrc/agent_sync/skills.pytests/test_security.pyAll 552 tests passed successfully.
PR created automatically by Jules for task 11659729053155068126 started by @renatocaliari