fix(security): Phase 1 — symlink bypass, command injection, server auth, sensitive files#26
Merged
fix(security): Phase 1 — symlink bypass, command injection, server auth, sensitive files#26
Conversation
S1 (CRITICAL): Filesystem.contains() symlink bypass - Added realpathSync() resolution before lexical path check - Symlinks pointing outside project are now correctly rejected - Falls back to lexical check for non-existent files (write tool) S2 (HIGH): exec() command injection in github.ts - Replaced exec(shellString) with spawn(cmd, args) argument array - No shell interpolation possible S4 (MED): Server unauthenticated on non-loopback - Server.listen() throws if binding to non-loopback without OPENCODE_SERVER_PASSWORD set S5 (MED): Read tool exposes sensitive files - Added deny-list (SENSITIVE_PATTERNS + SENSITIVE_DIRS) for .env, credentials, keys, .aws, .ssh, etc. - Sensitive files use always:[] (forces permission prompt every time) - Non-sensitive files keep always:["*"] (existing behavior) S3 (HIGH): Workspace trust — partial mitigation - Added warning log when loading workspace .opencode/ config - Full trust prompt (VS Code model) planned for future PR 13 security regression tests added (2 test files). 1486 tests passing, 0 tsgo errors.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Phase 1: Security Fixes
Fixes 4 of 5 security issues (S1, S2, S4, S5). S3 partially mitigated with warning log.
These fixes address vulnerabilities originally reported by upstream OpenCode community members. Full credit to the original reporters and PR authors below.
S1: Filesystem.contains() symlink bypass (CRITICAL) — FIXED
realpathSync()resolution before lexical path check inutil/filesystem.tsOriginal report: anomalyco/opencode#8313 by mluckydream
Related fix PR: anomalyco/opencode#14581 by Nicoo01x (cross-drive path bypass on Windows)
Also related: anomalyco/opencode#14579 by mluckydream (cross-drive bypass)
Also related: anomalyco/opencode#11703 (path traversal in file tools)
S2: exec() command injection (HIGH) — FIXED
exec(shellString)withspawn(cmd, [url])incli/cmd/github.tsOriginal report: anomalyco/opencode#17350 by kvenux
Related fix PR: anomalyco/opencode#17346 by kvenux (sanitize CLI command args)
Also related: anomalyco/opencode#6948 by RinZ27 (harden BashTool command parsing)
S4: Server auth on non-loopback (MED) — FIXED
Server.listen()throws if binding to non-loopback withoutOPENCODE_SERVER_PASSWORDOriginal report: anomalyco/opencode#10973
Also related: anomalyco/opencode#6355 by Mishkun (RCE via CORS + no auth)
CVE: CVE-2026-22812 (CVSS 8.8) reported by CyberShadow
Related fix PR: anomalyco/opencode#10974 by MaxMiksa (guard TUI server exposure)
Also related: anomalyco/opencode#14568 by judepereira (remove SERVER_PASSWORD from env after read)
S5: Read tool sensitive files (MED) — FIXED
.env*,secrets.json,credentials.json,.netrc,*.pem,*.key,.aws/,.ssh/,.gnupg/,.kube/always: [](forces permission prompt every time)always: ["*"](existing behavior preserved)Original report: anomalyco/opencode#12196 by cupton-paa
Related fix PR: anomalyco/opencode#14108 by edevil (strip env var assignments from bash permissions)
S3: Workspace trust (HIGH) — PARTIALLY MITIGATED
.opencode/configOriginal reports:
Test plan
bun run typecheck(tsgo) — 0 errorsbun test— 1486 pass, 0 fail (13 new security tests)contains()returns false.env,.pem,.aws/credentialsdetected.envpermission tests still pass (10 tests)