Summary
The cookie-import command in browse/src/write-commands.ts:286 validates relative paths by checking for .. via path.normalize() but never resolves symlinks. A relative symlink like ./cookies.json pointing to /etc/shadow passes all checks.
Reproduction
ln -s /etc/passwd ./cookies.json
$B cookie-import ./cookies.json # reads /etc/passwd into process memory
Root cause
Custom path validation instead of reusing validateReadPath pattern. The .. check catches traversal but not symlink-based escapes.
Fix
PR #664 replaces the custom validation with realpathSync-based resolution and reads from the resolved path (eliminating TOCTOU gap).
Found via sqry AST-based semantic code graph analysis.
Summary
The
cookie-importcommand inbrowse/src/write-commands.ts:286validates relative paths by checking for..viapath.normalize()but never resolves symlinks. A relative symlink like./cookies.jsonpointing to/etc/shadowpasses all checks.Reproduction
Root cause
Custom path validation instead of reusing
validateReadPathpattern. The..check catches traversal but not symlink-based escapes.Fix
PR #664 replaces the custom validation with
realpathSync-based resolution and reads from the resolved path (eliminating TOCTOU gap).Found via sqry AST-based semantic code graph analysis.