Elgato_dark/gemini-cli
1
0
Fork 0
mirror of https://github.com/google-gemini/gemini-cli synced 2026-04-21 13:37:17 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 19

fix(policy): guard copyFile paths against symlink attacks

Browse source
This commit is contained in:
krishdef7 2026-03-16 10:07:02 +05:30
parent de704ee200
commit d4c824bbb6
1 changed files with 15 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
packages/core/src/policy/config.ts
View file

@ -714,9 +714,15 @@ export function createPolicyUpdater(
'warning',
`Syntax error found in policy file. Backing up corrupted file to ${policyFile}.bak and starting fresh.`,
);
await fs
.copyFile(policyFile, `${policyFile}.bak`)
.catch(() => {});
if (
!(
await fs.lstat(policyFile).catch(() => null)
)?.isSymbolicLink()
) {
await fs
.copyFile(policyFile, `${policyFile}.bak`)
.catch(() => {});
}
existingData = {};
} else {
// Real filesystem error (e.g. EACCES) — throw to prevent silent failure
@ -787,6 +793,12 @@ export function createPolicyUpdater(
isNodeError(renameError) &&
(renameError.code === 'EXDEV' || renameError.code === 'EBUSY')
) {
if (
(
await fs.lstat(policyFile).catch(() => null)
)?.isSymbolicLink()
)
throw renameError;
await fs.copyFile(tmpFile, policyFile);
await fs.unlink(tmpFile).catch(() => {});
} else {