Skip to content

fix(ln): allow symlinks in ReadWrite RealFs mounts#1251

Merged
chaliy merged 1 commit intomainfrom
fix/issue-1158-symlink-support
Apr 13, 2026
Merged

fix(ln): allow symlinks in ReadWrite RealFs mounts#1251
chaliy merged 1 commit intomainfrom
fix/issue-1158-symlink-support

Conversation

@chaliy
Copy link
Copy Markdown
Contributor

@chaliy chaliy commented Apr 13, 2026

Summary

  • Symlink creation was unconditionally blocked in RealFs (sandbox security)
  • Now allowed in ReadWrite mode with containment checks:
    • Absolute targets are rejected (would always escape mount root)
    • Relative targets are validated to resolve within mount root on disk
  • Fixed PosixFs normalizing symlink targets (converted relative → absolute, breaking containment)

Test plan

  • Absolute symlink escape (/etc/passwd) is blocked
  • Relative symlink escape (../../../../etc/passwd) is blocked
  • Relative symlink within mount succeeds
  • All 25 realfs tests pass
  • All 15 spec test suites pass
  • cargo clippy clean

Closes #1158

@chaliy
fix(ln): allow symlinks in ReadWrite RealFs mounts
dfdfc1e 
Symlink creation was unconditionally blocked in RealFs. Now allowed
in ReadWrite mode with containment checks: absolute targets are
rejected, relative targets are validated to resolve within the mount
root on disk. PosixFs no longer normalizes symlink targets (which
would convert relative paths to absolute, breaking containment).

Closes #1158
@chaliy chaliy merged commit 20a404a into main Apr 13, 2026
27 checks passed
@chaliy chaliy deleted the fix/issue-1158-symlink-support branch April 13, 2026 11:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

fix(ln): ln -s blocked by RealFs sandbox — no symlink support

1 participant

@chaliy