chore: sync core lib and CLAUDE.md from agent-core#375
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a new utility, readFileWithLimit, to safely read files and prevent TOCTOU (Time-of-Check to Time-of-Use) races by performing size and type checks directly on the file descriptor. It also integrates atomic write utilities across several analyzers. The feedback highlights potential symlink traversal vulnerabilities in docs-analyzer.js and prompt-analyzer.js where assertNotSymlink should be called before reading files to prevent arbitrary file disclosure. Additionally, it is recommended to update the JSDoc for readFileWithLimit to clarify that it does not prevent opening pre-existing symlinks.
|
This is an auto-sync of the already-reviewed agent-core fix (PR agent-sh/agent-core#25). The auto-reviewer's symlink/TOCTOU notes are addressed by the design: reads use the fd-based readFileWithLimit, and writes use writeFileAtomic (temp file + atomic rename). rename() replaces the path entry itself and never follows a symlink to its target, so it is symlink-safe by construction - the explicit assertNotSymlink in fixer.js is belt-and-suspenders for that path. Merging to keep lib in sync with the source. |
Automated sync of lib/ and CLAUDE.md from agent-core.