Skip to content

🛡️ Sentinel: [HIGH] Fix regex newline injection and harden symlink handling#99

Open
calionauta wants to merge 1 commit into
mainfrom
sentinel/fix-newline-injection-and-harden-symlinks-11659729053155068126
Open

🛡️ Sentinel: [HIGH] Fix regex newline injection and harden symlink handling#99
calionauta wants to merge 1 commit into
mainfrom
sentinel/fix-newline-injection-and-harden-symlinks-11659729053155068126

Conversation

@calionauta

Copy link
Copy Markdown
Owner

This PR addresses two security concerns identified during an audit of the publish and sync flows:

  1. Regex Newline Injection: The _is_valid_skill_name functions in local_source.py and external_source.py used the $ anchor, which allows trailing newlines to pass validation. This has been updated to use \Z for strict end-of-string matching.
  2. Symlink Content Leakage: Multiple file copy operations (shutil.copytree and shutil.copy2) were following symbolic links by default. This could lead to accidental inclusion of sensitive system files if a user-controlled directory contained malicious symlinks. These calls have been hardened with symlinks=True and follow_symlinks=False.

Changes:

  • Modified src/agent_sync/publish/local_source.py
  • Modified src/agent_sync/publish/external_source.py
  • Modified src/agent_sync/publish/git_publish.py
  • Modified src/agent_sync/publish/agents_source.py
  • Modified src/agent_sync/skills.py
  • Added regression test to tests/test_security.py

All 552 tests passed successfully.


PR created automatically by Jules for task 11659729053155068126 started by @renatocaliari

…ndling

🚨 Severity: HIGH
💡 Vulnerability: Regex newline injection in skill name validation and insecure symlink following in file operations.
🎯 Impact: Trailing newlines could bypass validation, and symlinks could lead to sensitive file content leakage during sync/publish operations.
🔧 Fix: Used \Z anchor in regex patterns and disabled symlink following in shutil operations.
✅ Verification: Added regression tests in tests/test_security.py and verified full test suite passes.

Co-authored-by: renatocaliari <1719651+renatocaliari@users.noreply.github.com>
@google-labs-jules

Copy link
Copy Markdown
Contributor

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.


For security, I will only act on instructions from the user who triggered this task.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request secures skill name validation against newline injection by using \Z in regular expressions and adds corresponding tests. It also modifies file copying operations to preserve symlinks. The reviewer advises against preserving symlinks (follow_symlinks=False and symlinks=True) because it can result in broken symlinks in published repositories or agent directories, and potentially leak local path structures. Reverting to copying the actual content of symlinked files is recommended.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

safe_name = agent_name.replace("/", "_").replace(" ", "_")
dest = agents_dir / f"{safe_name}.md"
shutil.copy2(Path(agent.path), dest)
shutil.copy2(Path(agent.path), dest, follow_symlinks=False)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Using follow_symlinks=False here will copy the symlink itself rather than the actual content of the agent file if agent.path is a symbolic link (e.g., if the user symlinks their agent files from a dotfiles repository). This results in a broken symlink in the published repository (since the target path is local to the publisher's machine) and leaks the publisher's local directory structure/username to the public repository.

Since the goal of publishing is to share the agent's actual content, we should follow symlinks to copy the file's content.

Suggested change
shutil.copy2(Path(agent.path), dest, follow_symlinks=False)
shutil.copy2(Path(agent.path), dest)

Comment on lines 94 to 96
shutil.copytree(src_path, dest, dirs_exist_ok=True,
symlinks=True,
ignore=_ignore_func(*DEFAULT_IGNORE_PATTERNS))

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Using symlinks=True in shutil.copytree will copy symlinks as symlinks instead of copying their content. If a skill directory contains symlinks to other files (e.g., shared utilities or resources), copying them as symlinks will result in broken symlinks in the published repository (especially if they point to absolute paths or paths outside the skill directory). This breaks the published skills for other users and can leak local path structures.

We should follow symlinks (the default symlinks=False) to ensure all required content is physically copied and published.

                shutil.copytree(src_path, dest, dirs_exist_ok=True,
                               ignore=_ignore_func(*DEFAULT_IGNORE_PATTERNS))

else:
dest.parent.mkdir(parents=True, exist_ok=True)
shutil.copy2(src_path, dest)
shutil.copy2(src_path, dest, follow_symlinks=False)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Using follow_symlinks=False when copying files for publishing will copy the symlink itself rather than the file's content if src_path is a symbolic link. This results in a broken symlink in the published repository and leaks the publisher's local directory structure. We should follow symlinks to ensure the actual content is published.

Suggested change
shutil.copy2(src_path, dest, follow_symlinks=False)
shutil.copy2(src_path, dest)

Comment thread src/agent_sync/skills.py
# Copy if doesn't exist
if skill_item.is_dir():
shutil.copytree(skill_item, dest)
shutil.copytree(skill_item, dest, symlinks=True)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Using symlinks=True when distributing skills to all agents will copy symlinks as symlinks. If a skill contains relative symlinks, they will be broken in the agent's skills directory because the destination path is at a different location in the filesystem. We should follow symlinks to ensure the actual content is copied.

Suggested change
shutil.copytree(skill_item, dest, symlinks=True)
shutil.copytree(skill_item, dest)

Comment thread src/agent_sync/skills.py
shutil.copytree(skill_item, dest, symlinks=True)
else:
shutil.copy2(skill_item, dest)
shutil.copy2(skill_item, dest, follow_symlinks=False)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Using follow_symlinks=False here will copy the symlink itself rather than the file's content, which can result in broken symlinks in the agent's skills directory. We should follow symlinks to ensure the actual content is copied.

Suggested change
shutil.copy2(skill_item, dest, follow_symlinks=False)
shutil.copy2(skill_item, dest)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant