Conversation
Add defense-in-depth path validation for git worktree operations. A new validateWorktreePath helper rejects relative paths, control characters, leading '-' (argument injection), '..' segments, and Windows drive-relative / long-path / UNC prefixes. Validation is applied at both the source (resolveWorktreePath, stdin hook input) and the sink (createWorktree, removeWorktree, getCreateWorktreeCommand, and clean.ts's local removeWorktree wrapper). Error messages escape control characters to prevent ANSI escape injection in logs. The dry-run command formatter uses escapeShellPath to keep displayed paths safe even with embedded quotes. Symlink resolution and an allowlist of permitted roots are tracked as future enhancements; the SECURITY_CHECKLIST docs note this scope. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes a High-severity path traversal vulnerability in git worktree operations.
createWorktree/removeWorktreepreviously passedworktreePathdirectly togit worktree add/removewithout traversal validation. The existingvalidatePathonly blocked null bytes / newlines /$()/ backticks, leaving../, leading-, and control characters as viable attack vectors via a maliciouspath_script, hook stdin payload, or compromised config.A new
validateWorktreePathhelper is applied at both source (resolveWorktreePath, stdin hook input) and sink (createWorktree,removeWorktree,getCreateWorktreeCommand, andclean.ts's localremoveWorktreewrapper) for defense-in-depth. Error messages escape control characters to prevent ANSI-escape injection in logs, and the dry-run command formatter now usesescapeShellPathso embedded quotes can't produce broken shell strings.Symlink resolution and an allowlist of permitted roots (
worktree.allowedRoots) are deferred — the SECURITY_CHECKLIST docs note this scope explicitly.Related issues: #417 (symlink attacks) and #415 (env-var injection in path_script) sit in the same neighborhood and should be tracked separately.
Test Plan
worktree-path-validation.test.tscovering accept paths, rejected forms (.., leading-, control chars, Windows drive-relative / long-path / UNC), and error-message control-char escaping.services/worktree/operations.test.tsasserting validation runs beforerunGitCommandis invoked, that the canonical (normalized) path reaches git, and thatgetCreateWorktreeCommandescapes single quotes safely.worktree-path.test.tswith regressions forpath_scriptoutputs containing.., leading-, and trailing slashes.stdin.test.tswith hook-payload regressions; rejection now emitswarnLogso attempted injections are observable.pnpm run lint,pnpm run fmt:check,pnpm run check(tsc): all clean.settings.test.ts > Hash history FIFO(filesystem timing race; passes 16/16 in isolation; not touched by this PR).Checklist
pnpm run check:allpasses (sole failure is the pre-existing flakysettings.test.tsFIFO test, unrelated to this PR; verified by running it in isolation)docs/SECURITY_CHECKLIST.mdand.ja.md§2)Fixes #419