Skip to content

fix: constrain extractFile reads to the unpacked directory#451

Merged
MarshallOfSound merged 1 commit into
mainfrom
fix/extractfile-unpacked-path-containment
Jun 29, 2026
Merged

fix: constrain extractFile reads to the unpacked directory#451
MarshallOfSound merged 1 commit into
mainfrom
fix/extractfile-unpacked-path-containment

Conversation

@claude

@claude claude Bot commented Jun 28, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Requested by Samuel Attard · Slack thread

Before

When reading an unpacked file, extractFile (via readFileWithFd) joined the requested filename onto <root>.unpacked with path.join and no containment check. A filename containing .. segments could therefore resolve to a path outside the .unpacked directory, causing the read to land somewhere it shouldn't.

After

Reads are now constrained to the .unpacked directory. A filename that resolves outside it throws instead of reading the out-of-bounds path. This brings readFileWithFd in line with readFileSync, which already routed its unpacked read through the containment check.

How

readFileWithFd now resolves the target through the existing ensureWithin(base, filename) helper (where base = ${filesystem.getRootPath()}.unpacked``), the same helper readFileSync already uses. `ensureWithin` resolves the path with `path.resolve` and throws when the result is neither equal to the base nor under `base + path.sep`. Both unpacked-read call sites now go through this single helper.

Added tests in test/disk-spec.ts covering both readFileSync and readFileWithFd: each reads a normal file within .unpacked successfully, and each throws when given a ..-containing filename that resolves outside the unpacked directory.

🤖 Generated with Claude Code

https://claude.ai/code/session_0155o3ELzXMVngciL3ZsqXgA

@claude
fix: constrain extractFile reads to the unpacked directory
08b406b 
readFileWithFd joined the requested filename onto the `<root>.unpacked`
directory without checking containment, so a filename containing `..`
segments could resolve to a path outside that directory. Route the read
through the existing ensureWithin helper (matching readFileSync) so reads
are constrained to the unpacked directory and an escaping filename throws.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_0155o3ELzXMVngciL3ZsqXgA
@MarshallOfSound MarshallOfSound marked this pull request as ready for review June 28, 2026 02:59
@MarshallOfSound MarshallOfSound requested a review from a team as a code owner June 28, 2026 03:00
@MarshallOfSound MarshallOfSound merged commit 1f4b01d into main Jun 29, 2026
10 checks passed
@MarshallOfSound MarshallOfSound deleted the fix/extractfile-unpacked-path-containment branch June 29, 2026 18:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ckerr ckerr ckerr approved these changes
@MarshallOfSound MarshallOfSound MarshallOfSound approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ckerr @MarshallOfSound @claude