fix(workspace): close macOS /etc symlink bypass; add /var/folders user-tmp carve-out#1186
Closed
fix(workspace): close macOS /etc symlink bypass; add /var/folders user-tmp carve-out#1186
Conversation
The blocked-roots set was a tuple of literal paths (`/etc`, `/var`, ...).
On macOS those are symlinks to `/private/etc`, `/private/var`, `/private/tmp`.
Every caller resolves user input via `Path(input).resolve()` first — so
the candidate became `/private/etc` while the blocked entry was the literal
`/etc`. `/private/etc.relative_to(/etc)` raises ValueError, the candidate
falls through every blocked-root check, and the route handler accepts
`/etc` as a registered workspace.
This was directly observable as the recurring pre-existing macOS test
failure `test_workspace_add_rejects_system_paths` (POST /api/workspaces/add
with `/etc` returned 200 instead of 400). It was also a real security gap:
`/private/var/log` could be registered as a workspace on macOS, letting
agents read system logs through the carved-out trust path.
Fix: `_workspace_blocked_roots()` now returns BOTH the literal and
symlink-resolved canonical forms, deduped. `Path('/etc').resolve()` is
`/private/etc` on macOS and `/etc` on Linux — so the set self-canonicalises
per platform without any OS-specific code.
A naive "resolve everything" change would also block legit user-tmp paths
under `/private/var/folders/<hash>/T/` — pytest's `tmp_path_factory`
writes there on macOS, and `test_workspace_add_allows_external_valid_paths`
explicitly registers tmp dirs as workspaces. Carve-out via a new
`_USER_TMP_PREFIXES` tuple covering `/var/folders`, `/private/var/folders`,
`/var/tmp`, `/private/var/tmp` — checked first in
`_is_blocked_system_path()` so user-tmp paths short-circuit to "not
blocked" even though their parent (`/var`) is. Linux behaviour is
unchanged: literal == resolved, no extra entries, no blocked paths
pass that wouldn't have before.
Updated all six in-tree call sites to use the new `_is_blocked_system_path`
helper instead of inlining the loop:
- _trusted_workspace_roots (api/workspace.py:321)
- resolve_trusted_workspace home sanity + block check (api/workspace.py:453,462)
- validate_workspace_to_add (api/workspace.py:514)
- safe_resolve_ws symlink-target check (api/workspace.py:553)
- list_dir symlink-target check (api/workspace.py:577)
- _handle_workspace_add pre-create guard in api/routes.py:3208
Tests:
- 26 new tests in test_workspace_blocked_roots_macos.py covering:
- Set canonicalisation (literal + resolved both present)
- /etc / /private/etc both blocked across platforms
- /var/log security gap on macOS now closed
- /var/folders, /private/var/folders, /var/tmp user-tmp carve-outs
- All non-symlink roots and their subpaths still blocked
- test_batch_fixes.test_etc_still_blocked: relaxed substring match to
accept the new bare-string-in-tuple form.
- Full suite locally: 2664 passed, 47 skipped, 0 failures.
Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
Collaborator
|
Good fix with solid test coverage. A few notes from review: Security impact confirmed: The macOS symlink path ( Fix approach looks correct: Returning both literal + resolved canonical forms from
Linux regression risk: Low — on Linux, One thing to verify: The Overall: the fix is correctly scoped, well-tested (26 new tests covering the key invariants), and the Linux behaviour is provably unchanged. 👍 |
This was referenced Apr 28, 2026
nesquena-hermes
added a commit
that referenced
this pull request
Apr 28, 2026
…code leak (#1194) Batch release v0.50.231 — 3 fixes. ## PRs included | PR | Author | Fix | |---|---|---| | #1186 | @nesquena (Claude Code) | macOS `/etc` symlink bypass in workspace blocked-roots | | #1187 | @nesquena-hermes | Workspace panel stuck closed after empty-session reload | | #1190 | @bergeouss | Fenced code content leaking into markdown passes (#1154) | All three PRs were independently reviewed and approved by @nesquena. ## Test results **2729 passed, 2 skipped** (2 macOS-only tests correctly skipped on Linux). Browser QA: **21/21**. ## Key fix notes **#1186:** `_workspace_blocked_roots()` now returns both literal and `Path.resolve()` forms of each blocked root. macOS symlinks (`/etc → /private/etc`) previously let a resolved candidate slip past the literal check. New `_is_blocked_system_path()` helper with `/var/folders` and `/var/tmp` carve-outs for pytest temp dirs. **#1187:** Regression from #1182 — `syncWorkspacePanelState()` force-closed on any no-session state. Now only closes in `'preview'` mode. Both boot paths restore localStorage panel pref before sync. **#1190:** Fenced code blocks are now stashed as `\x00P<n>\x00` tokens through ALL markdown passes (list/heading/table regexes), restored at the very end. Previously, diff hunks and markdown headings inside code blocks triggered those regexes, injecting `<ul>/<li>/<h>` tags that broke `</pre>` closure.
Collaborator
This was referenced Apr 28, 2026
JKJameson
pushed a commit
to JKJameson/hermes-webui
that referenced
this pull request
Apr 29, 2026
…code leak (nesquena#1194) Batch release v0.50.231 — 3 fixes. ## PRs included | PR | Author | Fix | |---|---|---| | nesquena#1186 | @nesquena (Claude Code) | macOS `/etc` symlink bypass in workspace blocked-roots | | nesquena#1187 | @nesquena-hermes | Workspace panel stuck closed after empty-session reload | | nesquena#1190 | @bergeouss | Fenced code content leaking into markdown passes (nesquena#1154) | All three PRs were independently reviewed and approved by @nesquena. ## Test results **2729 passed, 2 skipped** (2 macOS-only tests correctly skipped on Linux). Browser QA: **21/21**. ## Key fix notes **nesquena#1186:** `_workspace_blocked_roots()` now returns both literal and `Path.resolve()` forms of each blocked root. macOS symlinks (`/etc → /private/etc`) previously let a resolved candidate slip past the literal check. New `_is_blocked_system_path()` helper with `/var/folders` and `/var/tmp` carve-outs for pytest temp dirs. **nesquena#1187:** Regression from nesquena#1182 — `syncWorkspacePanelState()` force-closed on any no-session state. Now only closes in `'preview'` mode. Both boot paths restore localStorage panel pref before sync. **nesquena#1190:** Fenced code blocks are now stashed as `\x00P<n>\x00` tokens through ALL markdown passes (list/heading/table regexes), restored at the very end. Previously, diff hunks and markdown headings inside code blocks triggered those regexes, injecting `<ul>/<li>/<h>` tags that broke `</pre>` closure.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes the recurring macOS-only failure of
tests/test_sprint3.py::test_workspace_add_rejects_system_pathsAND a real security gap that came with it.The bug
_workspace_blocked_roots()returned literalPath('/etc'),Path('/var'), etc. On macOS, those are symlinks to/private/etc,/private/var,/private/tmp. Every caller resolves user input viaPath(input).resolve()first — so the candidate became/private/etcwhile the blocked entry was the literal/etc./private/etc.relative_to(/etc)raises ValueError, the candidate falls through every blocked-root check, and the route handler accepts/etcas a registered workspace.Two consequences:
POST /api/workspaces/addwith/etcreturned 200 instead of 400 on macOS./private/var/logcould be registered as a workspace on macOS, letting agents read system logs through the carved-out trust path.On Linux there's no symlink, literal == resolved, so the check worked correctly.
The fix
_workspace_blocked_roots()now returns BOTH the literal and resolved-canonical forms, deduped.Path('/etc').resolve()is/private/etcon macOS and/etcon Linux — so the set self-canonicalises per platform without any OS-specific code.A naive "resolve everything" would also block legit user-tmp paths under
/private/var/folders/<hash>/T/— pytest'stmp_path_factorywrites there on macOS, andtest_workspace_add_allows_external_valid_pathsexplicitly registers tmp dirs. New_USER_TMP_PREFIXEScarve-out (/var/folders,/private/var/folders,/var/tmp,/private/var/tmp), checked first in_is_blocked_system_path()so user-tmp paths short-circuit to "not blocked" even though their parent is.Linux behaviour is unchanged: literal == resolved, no extra entries, no paths pass that wouldn't have before.
What changed
_workspace_blocked_roots()returns canonical-deduped set; new_safe_resolvehelper,_USER_TMP_PREFIXEScarve-outs, and_is_blocked_system_path()consolidating the 6 inlined loops across the file._handle_workspace_addpre-create guard switched to the helper.test_etc_still_blockedsubstring match relaxed to accept the new bare-string-in-tuple form.Result
Full suite: 2664 passed, 47 skipped, 0 failed on macOS. The pre-existing test_sprint3 failure is gone. CI on Linux continues to pass (verified by the unchanged behaviour for non-symlink roots).
🤖 Generated with Claude Code