fix(security): harden skill apply and activation flows

Restrict auto-apply to trusted review comments so spoofed issue comments cannot write optimized SKILL.md content into pull request branches. Reject activation symlinks that escape the source root and add regression coverage for both security checks.
2026-03-26 13:23:54 +01:00
parent b8684488ab
commit bc49ceec90
5 changed files with 161 additions and 12 deletions
--- a/scripts/activate-skills.sh
+++ b/scripts/activate-skills.sh
@@ -26,6 +26,10 @@ find_copy_dirs() {
  mkdir -p "$dest_dir"

  while IFS= read -r -d '' item; do
+    if [[ -L "$item" ]] && ! is_safe_dir_symlink "$src_dir" "$item"; then
+      echo "  ! Skipping unsafe symlink outside source root: $(basename "$item")"
+      continue
+    fi
    cp -RP "$item" "$dest_dir/"
  done < <(find "$src_dir" -mindepth 1 -maxdepth 1 \( -type d -o -type l \) -print0 2>/dev/null)
 }
@@ -60,6 +64,39 @@ resolve_python() {
  return 1
 }

+is_safe_dir_symlink() {
+  local root_dir="$1"
+  local item="$2"
+  local python_path=""
+
+  if ! python_path="$(resolve_python 2>/dev/null)"; then
+    return 1
+  fi
+
+  "$python_path" - "$root_dir" "$item" <<'PY'
+from pathlib import Path
+import sys
+
+root_dir = Path(sys.argv[1]).resolve()
+item = Path(sys.argv[2])
+
+try:
+    target = item.resolve(strict=True)
+except FileNotFoundError:
+    raise SystemExit(1)
+
+if not target.is_dir():
+    raise SystemExit(1)
+
+try:
+    target.relative_to(root_dir)
+except ValueError:
+    raise SystemExit(1)
+
+raise SystemExit(0)
+PY
+}
+
 is_safe_skill_id() {
  [[ "$1" =~ ^[A-Za-z0-9._-]+$ ]]
 }