Security: model method run writes outputs through symlinks

[stack72]

Summary

When .swamp/outputs is replaced with a symlink pointing to an attacker-controlled directory, swamp model method run follows the symlink and writes output data to the external directory. This allows an attacker with write access to the .swamp/ directory to exfiltrate model outputs to arbitrary filesystem locations.

Reproduction

swamp init
swamp model create command/shell test-model
swamp model method run test-model execute  # creates .swamp/outputs/

# Replace outputs dir with symlink
rm -rf .swamp/outputs
ln -s /tmp/attacker-dir .swamp/outputs

swamp model method run test-model execute
ls /tmp/attacker-dir  # contains output files (~1966 bytes written)

Expected Behavior

Before writing to any path under .swamp/, swamp should verify the target is not a symlink pointing outside the repository boundary. If a symlink is detected, the operation should fail with a clear error rather than following it.

Impact

Output data (which may contain resolved secrets or sensitive computation results) can be written to attacker-controlled locations.

Context

Discovered via adversarial security boundary tests in swamp-uat (systeminit/swamp-uat#39).

[stack72]

Investigation

Confirmed this is a legitimate vulnerability. Here's the detailed analysis:

Root Cause

When swamp model method run writes output logs, the code path does not validate symlinks:

1. src/cli/commands/model_method_run.ts constructs the output path under .swamp/outputs/{modelType}/{methodName}/{id}-{timestamp}.log
2. src/infrastructure/logging/run_file_sink.ts creates directories with Deno.mkdir(dir, { recursive: true }) and opens the file with Deno.open(filePath, { write: true, create: true, truncate: true }) — neither operation checks for symlinks before proceeding

Existing Protections Don't Cover This

Swamp does have path traversal protection via assertPathContained() in UnifiedDataRepository and SymlinkRepoIndexService, but:

• It uses resolve() which only normalizes paths syntactically — it does not call Deno.realpath() to follow symlinks
• It's only applied to data repository paths and index symlink creation, not to the output logging path
• The atomic write mechanism (src/infrastructure/persistence/atomic_write.ts) has the same gap — Deno.rename() follows symlinks on most filesystems

Fix Strategy

1. Add Deno.realpath() validation before opening output files to ensure the resolved path stays within the expected .swamp/outputs/ subtree
2. Extend the existing assertPathContained() pattern to use realpath() instead of resolve()
3. Apply the same validation to directory creation calls
4. Add tests for symlink-based path traversal attacks on the output path

[stack72]

Fix Plan

Since this is a security issue, the fix will comprehensively protect all write paths across the codebase — not just the outputs path described in the reproduction.

Approach

Create a shared assertSafePath() utility that uses Deno.realPath() to resolve symlinks, then verifies the resolved path stays within the repository boundary. Integrate it at every location that writes under .swamp/.

The existing lexical assertPathContained() checks (preventing ../ in user-supplied names) are kept as defense-in-depth. The symlink check is in addition to those.

New utility: src/infrastructure/persistence/safe_path.ts

• assertSafePath(path, boundary) — resolves all symlinks in path via Deno.realPath(), verifies it stays within boundary
• For non-existent paths (new version dirs, etc.): walks up to the nearest existing ancestor, resolves that, then appends remaining segments
• Throws PathTraversalError with a clear message on violation

Write paths being protected

Component	File	Boundary
Data versions	unified_data_repository.ts	.swamp/data
Method outputs	yaml_output_repository.ts	.swamp/outputs
Run log files	run_file_sink.ts	.swamp/logs
Definitions	yaml_definition_repository.ts	.swamp/definitions
Evaluated definitions	yaml_evaluated_definition_repository.ts	.swamp/definitions-evaluated
Workflows	yaml_workflow_repository.ts	.swamp/workflows
Evaluated workflows	yaml_evaluated_workflow_repository.ts	.swamp/workflows-evaluated
Workflow runs	yaml_workflow_run_repository.ts	.swamp/workflow-runs
Vault configs	yaml_vault_config_repository.ts	.swamp/vault
Encrypted secrets	local_encryption_vault_provider.ts	.swamp/secrets
Telemetry	json_telemetry_repository.ts	.swamp/telemetry
Bundle cache	user_model_loader.ts	.swamp/bundles
Repo index symlinks	symlink_repo_index_service.ts	repo root

Out of scope

• auth_repository.ts and user_identity_repository.ts — these write to ~/.config/swamp/, not the repo .swamp/ directory. Different threat model.

TOCTOU note

There is an inherent TOCTOU (time-of-check-time-of-use) gap between the assertSafePath check and the actual write. This is the standard industry pattern — complete elimination would require kernel-level O_NOFOLLOW support not available through Deno's API. The check dramatically raises the bar for exploitation.

[stack72]

Fixed — swamp-uat PR systeminit/swamp-uat#39 now passes all 16 security boundary tests against the latest stable binary.