Harden branding image symlink check to cover ancestor directories#3261
Harden branding image symlink check to cover ancestor directories#3261
Conversation
The previous check only tested the image file itself for symlinks. ValidateFileAccess also walks parent directories up to the doc root, rejecting symlinked or hidden intermediate directories that could be used to escape the documentation source tree. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
|
Warning Rate limit exceeded
To continue reviewing without waiting, purchase usage credits in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches✨ Simplify code
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
2 participants
Why
The previous symlink check on
branding.iconandbranding.og-imageonly tested whether the image file itself was a symlink. A symlinked parent directory (e.g.assets/→/etc/) would pass the check and allow an attacker to read arbitrary files outside the documentation source directory.However we still validate the file itself is an image.
What
Replaces the bare
resolved.LinkTarget is not nullcheck withValidateFileAccess, which walks ancestor directories up to the doc root and rejects any symlinked or hidden intermediate directory — the same protection already used fordocset.ymlandtoc.yml.