auditor: BLOCK fix from kimi_architect on dd77632 — path-traversal guard
Some checks failed
lakehouse/auditor 10 blocking issues: cloud: claim not backed — "Verified live (current synthetic data):"
Some checks failed
lakehouse/auditor 10 blocking issues: cloud: claim not backed — "Verified live (current synthetic data):"
The grounding step in computeGrounding() resolves model-provided file:line citations against REPO_ROOT and reads the file. Pre-fix: no check that the resolved path stays inside REPO_ROOT. A model output emitting `../../../../etc/passwd:1` would have resolved to `/etc/passwd` and we'd have called fs.readFile() on it. Verified the vulnerability with a 3-case smoke: ../../../../etc/passwd:1 → resolves to /etc/passwd → REFUSED /etc/passwd:1 → absolute path → REFUSED auditor/checks/...:1 → repo-relative → ALLOWED Fix: after resolve(REPO_ROOT, relpath), require the absolute path starts with `REPO_ROOT + "/"` (or equals REPO_ROOT exactly). Anything else gets `[grounding: path escapes repo root, refusing]` in the evidence trail and the finding is marked unverified rather than read. Caveats: - Doesn't blanket-block absolute paths (would need legitimate /home/profit/lakehouse/... citations to work). Only escapes get rejected, regardless of how they were specified. - Symlinks aren't followed/canonicalized; if REPO_ROOT contains a symlink to /etc, that's a separate config concern not a code bug. Verification: bun build auditor/checks/kimi_architect.ts compiles Resolution-only smoke (3 cases) all expected Daemon will pick up the fix on next push (auto-reset fires) This was the only BLOCK in the dd77632 audit's kimi_architect findings. The other 9 BLOCKs were inference-check "claim not backed" against historical commit messages (not actionable). Down from 13 → 10 BLOCKs after the prior 2 static.ts fixes; this commit's audit will further drop the count. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
root
parent
dd77632d0e
commit
2d9cb128bf
@ -364,7 +364,21 @@ async function computeGrounding(findings: Finding[]): Promise<{ total: number; v
|
|||||||
const [, relpath, lineStr] = m;
|
const [, relpath, lineStr] = m;
|
||||||
const line = Number(lineStr);
|
const line = Number(lineStr);
|
||||||
if (!line || !relpath) return false;
|
if (!line || !relpath) return false;
|
||||||
const abs = relpath.startsWith("/") ? relpath : resolve(REPO_ROOT, relpath);
|
|
||||||
|
// Path-traversal guard (caught 2026-04-27 by Kimi self-audit on
|
||||||
|
// dd77632). A model output emitting `../../../etc/passwd:1` would
|
||||||
|
// otherwise resolve outside REPO_ROOT and we'd readFile() a system
|
||||||
|
// file. Resolve, then verify the absolute path is anchored under
|
||||||
|
// REPO_ROOT — refuse anything that escapes (relative ".." traversal
|
||||||
|
// OR an absolute path that doesn't start with REPO_ROOT). Existing
|
||||||
|
// grounding-citation conventions all use repo-relative paths, so
|
||||||
|
// this rejection is safe in practice.
|
||||||
|
const abs = resolve(REPO_ROOT, relpath);
|
||||||
|
if (!abs.startsWith(REPO_ROOT + "/") && abs !== REPO_ROOT) {
|
||||||
|
f.evidence.push(`[grounding: path escapes repo root, refusing]`);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
if (!existsSync(abs)) {
|
if (!existsSync(abs)) {
|
||||||
f.evidence.push("[grounding: file not found]");
|
f.evidence.push("[grounding: file not found]");
|
||||||
return false;
|
return false;
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user