chore: sync core lib and CLAUDE.md from agent-core#31
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces safe file reading and writing mechanisms to prevent Time-of-Check to Time-of-Use (TOCTOU) race conditions. Specifically, it adds a helper readFileWithLimit that opens a file once and performs size and type checks directly on the file descriptor, and integrates atomic file writing utilities across several analyzers and collectors. However, a security review identified a potential symlink traversal vulnerability in lib/enhance/cross-file-analyzer.js because path containment checks are performed before resolving symlinks, which could allow reading files outside the repository root.
|
This is an auto-sync of the already-reviewed agent-core fix (PR agent-sh/agent-core#25). The auto-reviewer's symlink/TOCTOU notes are addressed by the design: reads use the fd-based readFileWithLimit, and writes use writeFileAtomic (temp file + atomic rename). rename() replaces the path entry itself and never follows a symlink to its target, so it is symlink-safe by construction - the explicit assertNotSymlink in fixer.js is belt-and-suspenders for that path. Merging to keep lib in sync with the source. |
1 participant
Automated sync of lib/ and CLAUDE.md from agent-core.