auditor: BLOCK fix from kimi_architect on dd77632 — path-traversal guard
Some checks failed
lakehouse/auditor 10 blocking issues: cloud: claim not backed — "Verified live (current synthetic data):"
Some checks failed
lakehouse/auditor 10 blocking issues: cloud: claim not backed — "Verified live (current synthetic data):"
The grounding step in computeGrounding() resolves model-provided file:line citations against REPO_ROOT and reads the file. Pre-fix: no check that the resolved path stays inside REPO_ROOT. A model output emitting `../../../../etc/passwd:1` would have resolved to `/etc/passwd` and we'd have called fs.readFile() on it. Verified the vulnerability with a 3-case smoke: ../../../../etc/passwd:1 → resolves to /etc/passwd → REFUSED /etc/passwd:1 → absolute path → REFUSED auditor/checks/...:1 → repo-relative → ALLOWED Fix: after resolve(REPO_ROOT, relpath), require the absolute path starts with `REPO_ROOT + "/"` (or equals REPO_ROOT exactly). Anything else gets `[grounding: path escapes repo root, refusing]` in the evidence trail and the finding is marked unverified rather than read. Caveats: - Doesn't blanket-block absolute paths (would need legitimate /home/profit/lakehouse/... citations to work). Only escapes get rejected, regardless of how they were specified. - Symlinks aren't followed/canonicalized; if REPO_ROOT contains a symlink to /etc, that's a separate config concern not a code bug. Verification: bun build auditor/checks/kimi_architect.ts compiles Resolution-only smoke (3 cases) all expected Daemon will pick up the fix on next push (auto-reset fires) This was the only BLOCK in the dd77632 audit's kimi_architect findings. The other 9 BLOCKs were inference-check "claim not backed" against historical commit messages (not actionable). Down from 13 → 10 BLOCKs after the prior 2 static.ts fixes; this commit's audit will further drop the count. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
root
parent
dd77632d0e
commit
2d9cb128bf
@ -364,7 +364,21 @@ async function computeGrounding(findings: Finding[]): Promise<{ total: number; v
|
||||
const [, relpath, lineStr] = m;
|
||||
const line = Number(lineStr);
|
||||
if (!line || !relpath) return false;
|
||||
const abs = relpath.startsWith("/") ? relpath : resolve(REPO_ROOT, relpath);
|
||||
|
||||
// Path-traversal guard (caught 2026-04-27 by Kimi self-audit on
|
||||
// dd77632). A model output emitting `../../../etc/passwd:1` would
|
||||
// otherwise resolve outside REPO_ROOT and we'd readFile() a system
|
||||
// file. Resolve, then verify the absolute path is anchored under
|
||||
// REPO_ROOT — refuse anything that escapes (relative ".." traversal
|
||||
// OR an absolute path that doesn't start with REPO_ROOT). Existing
|
||||
// grounding-citation conventions all use repo-relative paths, so
|
||||
// this rejection is safe in practice.
|
||||
const abs = resolve(REPO_ROOT, relpath);
|
||||
if (!abs.startsWith(REPO_ROOT + "/") && abs !== REPO_ROOT) {
|
||||
f.evidence.push(`[grounding: path escapes repo root, refusing]`);
|
||||
return false;
|
||||
}
|
||||
|
||||
if (!existsSync(abs)) {
|
||||
f.evidence.push("[grounding: file not found]");
|
||||
return false;
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user