fix(ng-dev): prevent arbitrary file write via .ng-dev.log symlink#3725
Conversation
josephperrott
force-pushed
the
fix-ng-dev-symlink
branch
from
8705ca0 to
df1f9f4
Compare
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the external release command arguments from 'set-dist-tag' to 'npm-dist-tag set' and adds a security check in 'ng-dev/utils/logging.ts' to prevent arbitrary file writes via symbolic links. The review feedback correctly identifies a security vulnerability in the new check: 'existsSync' follows symbolic links, meaning the check can be bypassed if the symlink points to a non-existent file. The reviewer suggests calling 'lstatSync' directly and catching 'ENOENT' errors instead, as well as removing the unused 'existsSync' import.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
After renaming the npm tagging sub command we failed to update the location where the script is called by the main release process
josephperrott
force-pushed
the
fix-ng-dev-symlink
branch
from
df1f9f4 to
b6e9c56
Compare
|
This PR was merged into the repository. The changes were merged into the following branches:
|
2 participants
This PR fixes a security vulnerability where an attacker could create a symbolic link named
.ng-dev.logpointing to a sensitive file, causing it to be overwritten whenng-devruns. The fix ensures that if a symbolic link is detected, execution is aborted.