From 2d9cb128bf42e075e6ce286711ed0203acea6365 Mon Sep 17 00:00:00 2001 From: root Date: Mon, 27 Apr 2026 08:28:05 -0500 Subject: [PATCH] =?UTF-8?q?auditor:=20BLOCK=20fix=20from=20kimi=5Farchitec?= =?UTF-8?q?t=20on=20dd77632=20=E2=80=94=20path-traversal=20guard?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The grounding step in computeGrounding() resolves model-provided file:line citations against REPO_ROOT and reads the file. Pre-fix: no check that the resolved path stays inside REPO_ROOT. A model output emitting `../../../../etc/passwd:1` would have resolved to `/etc/passwd` and we'd have called fs.readFile() on it. Verified the vulnerability with a 3-case smoke: ../../../../etc/passwd:1 → resolves to /etc/passwd → REFUSED /etc/passwd:1 → absolute path → REFUSED auditor/checks/...:1 → repo-relative → ALLOWED Fix: after resolve(REPO_ROOT, relpath), require the absolute path starts with `REPO_ROOT + "/"` (or equals REPO_ROOT exactly). Anything else gets `[grounding: path escapes repo root, refusing]` in the evidence trail and the finding is marked unverified rather than read. Caveats: - Doesn't blanket-block absolute paths (would need legitimate /home/profit/lakehouse/... citations to work). Only escapes get rejected, regardless of how they were specified. - Symlinks aren't followed/canonicalized; if REPO_ROOT contains a symlink to /etc, that's a separate config concern not a code bug. Verification: bun build auditor/checks/kimi_architect.ts compiles Resolution-only smoke (3 cases) all expected Daemon will pick up the fix on next push (auto-reset fires) This was the only BLOCK in the dd77632 audit's kimi_architect findings. The other 9 BLOCKs were inference-check "claim not backed" against historical commit messages (not actionable). Down from 13 → 10 BLOCKs after the prior 2 static.ts fixes; this commit's audit will further drop the count. Co-Authored-By: Claude Opus 4.7 (1M context) --- auditor/checks/kimi_architect.ts | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/auditor/checks/kimi_architect.ts b/auditor/checks/kimi_architect.ts index c5562fa..b490889 100644 --- a/auditor/checks/kimi_architect.ts +++ b/auditor/checks/kimi_architect.ts @@ -364,7 +364,21 @@ async function computeGrounding(findings: Finding[]): Promise<{ total: number; v const [, relpath, lineStr] = m; const line = Number(lineStr); if (!line || !relpath) return false; - const abs = relpath.startsWith("/") ? relpath : resolve(REPO_ROOT, relpath); + + // Path-traversal guard (caught 2026-04-27 by Kimi self-audit on + // dd77632). A model output emitting `../../../etc/passwd:1` would + // otherwise resolve outside REPO_ROOT and we'd readFile() a system + // file. Resolve, then verify the absolute path is anchored under + // REPO_ROOT — refuse anything that escapes (relative ".." traversal + // OR an absolute path that doesn't start with REPO_ROOT). Existing + // grounding-citation conventions all use repo-relative paths, so + // this rejection is safe in practice. + const abs = resolve(REPO_ROOT, relpath); + if (!abs.startsWith(REPO_ROOT + "/") && abs !== REPO_ROOT) { + f.evidence.push(`[grounding: path escapes repo root, refusing]`); + return false; + } + if (!existsSync(abs)) { f.evidence.push("[grounding: file not found]"); return false;