fix: harden filesystem trust boundaries

2026-03-15 08:39:22 +01:00
parent 226f10c2a6
commit fe07e07215
20 changed files with 630 additions and 124 deletions
--- a/tools/scripts/tests/test_fix_skills_metadata_security.py
+++ b/tools/scripts/tests/test_fix_skills_metadata_security.py
@@ -0,0 +1,36 @@
+import sys
+import tempfile
+import unittest
+from pathlib import Path
+
+
+TOOLS_SCRIPTS_DIR = Path(__file__).resolve().parents[1]
+if str(TOOLS_SCRIPTS_DIR) not in sys.path:
+    sys.path.insert(0, str(TOOLS_SCRIPTS_DIR))
+
+import fix_skills_metadata
+
+
+class FixSkillsMetadataSecurityTests(unittest.TestCase):
+    def test_skips_symlinked_skill_markdown(self):
+        with tempfile.TemporaryDirectory() as temp_dir:
+            root = Path(temp_dir)
+            skill_dir = root / "safe-skill"
+            outside_dir = root / "outside"
+            skill_dir.mkdir()
+            outside_dir.mkdir()
+
+            target = outside_dir / "SKILL.md"
+            target.write_text("---\nname: outside\n---\nbody\n", encoding="utf-8")
+            (skill_dir / "SKILL.md").symlink_to(target)
+
+            fix_skills_metadata.fix_skills(root)
+
+            self.assertEqual(
+                target.read_text(encoding="utf-8"),
+                "---\nname: outside\n---\nbody\n",
+            )
+
+
+if __name__ == "__main__":
+    unittest.main()