Skip to content

Harden hostcall fs prefix checks against symlink escapes #31

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
markthom-as merged 1 commit into from
Feb 11, 2026
Merged

Harden hostcall fs prefix checks against symlink escapes #31

markthom-as merged 1 commit into from
Feb 11, 2026

Conversation

@markthom-as
Copy link
Collaborator

@markthom-as markthom-as commented Feb 11, 2026

Summary

  • resolve fs hostcall paths with canonicalized prefix checks to block symlink escape
  • preserve valid allowlisted access semantics for existing paths
  • add regression tests for read and write symlink escape attempts

Testing

  • cargo test -p provenact-cli --test hostcalls

@markthom-as markthom-as merged commit ac9c159 into main Feb 11, 2026
5 checks passed
@markthom-as markthom-as deleted the codex/cli-hostcall-hardening-20260211 branch February 11, 2026 05:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@markthom-as