Describe the bug
Filepicker at tui/filepicker.go:94 uses os.Stat() without checking symlinks. Attacker could create symlinks to read arbitrary directories.
To reproduce
- Create symlink: ln -s /etc/passwd ~/.config/matcha/link
- Navigate to symlink path via filepicker
- Contents of /etc exposed
Expected behavior
Use os.Lstat() to detect symlinks, or explicitly follow only safe links
Matcha version
master
OS
Unix-like
Additional context
File: tui/filepicker.go line 94
Security: symlink directory traversal
Describe the bug
Filepicker at tui/filepicker.go:94 uses os.Stat() without checking symlinks. Attacker could create symlinks to read arbitrary directories.
To reproduce
Expected behavior
Use os.Lstat() to detect symlinks, or explicitly follow only safe links
Matcha version
master
OS
Unix-like
Additional context
File: tui/filepicker.go line 94
Security: symlink directory traversal