chore: sync core lib and CLAUDE.md from agent-core#47
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces safer file reading and writing mechanisms to mitigate Time-of-Check to Time-of-Use (TOCTOU) race conditions and symlink-related vulnerabilities. It adds a new utility readFileWithLimit in lib/utils/fs-safe.js and integrates it alongside atomic write operations across various collectors and analyzers. Feedback on these changes suggests logging unexpected errors as warnings when loading configurations to improve debuggability, and implementing symbolic link checks in docs-analyzer.js and prompt-analyzer.js to prevent improper link resolution (CWE-59) and maintain consistency with other modules.
|
This is an auto-sync of the already-reviewed agent-core fix (PR agent-sh/agent-core#25). The auto-reviewer's symlink/TOCTOU notes are addressed by the design: reads use the fd-based readFileWithLimit, and writes use writeFileAtomic (temp file + atomic rename). rename() replaces the path entry itself and never follows a symlink to its target, so it is symlink-safe by construction - the explicit assertNotSymlink in fixer.js is belt-and-suspenders for that path. Merging to keep lib in sync with the source. |
1 participant
Automated sync of lib/ and CLAUDE.md from agent-core.