Skip to content

Harden replay path resolution#150

Merged
AlexanderOnischenko merged 2 commits intofeature/tracerfrom
codex/implement-file-resource-validation-in-replay
Feb 8, 2026
Merged

Harden replay path resolution#150
AlexanderOnischenko merged 2 commits intofeature/tracerfrom
codex/implement-file-resource-validation-in-replay

Conversation

@AlexanderOnischenko
Copy link
Owner

@AlexanderOnischenko AlexanderOnischenko commented Feb 8, 2026

Motivation

  • Prevent replay code from reading or writing files outside the intended fixture roots by enforcing POSIX-relative paths and blocking escapes, absolute paths, parent traversal, and symlink-based escapes.
  • Remove accidental non-hermetic behavior where base_dir is None allowed resolving arbitrary local paths.

Description

  • Require base_dir in ReplayContext.resolve_resource_path and raise ValueError when it is not provided, and when an absolute resource_path is supplied.
  • Add safe_join_under_validated(root, rel_path: Path) and keep safe_join_under(root, rel_posix: str) to avoid duplicate validation while still ensuring a joined path does not escape root.
  • Update ReplayContext.resolve_resource_path to validate the POSIX-relative resource with validate_run_relative_posix and to use safe_join_under_validated for all resolved locations (direct resources/ paths and fixture lookups).
  • Update copy_resource_files in src/fetchgraph/replay/export.py to validate and use safe_join_under_validated for both source (run_dir) and destination (out_dir) lookups to avoid writing outside expected roots.
  • Export the new helper via __all__ in fetchgraph.utils.path_layout and clean up double-validation patterns.
  • Add tests in tests/test_replay_runtime.py covering base_dir requirement, absolute path rejection, parent-traversal rejection, allowed inside-base resolution, and symlink escape rejection.

Testing

  • Ran pytest tests/test_replay_runtime.py and all tests passed: 7 passed (no failures).

Codex Task

@AlexanderOnischenko
Copy link
Owner Author

AlexanderOnischenko commented Feb 8, 2026

@codex, please review

@chatgpt-codex-connector
Copy link

chatgpt-codex-connector bot commented Feb 8, 2026

Codex Review: Didn't find any major issues. Chef's kiss.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@AlexanderOnischenko AlexanderOnischenko merged commit b6a58fc into feature/tracer Feb 8, 2026
1 check passed
@AlexanderOnischenko AlexanderOnischenko deleted the codex/implement-file-resource-validation-in-replay branch February 8, 2026 08:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@AlexanderOnischenko