Skip to content

fix: prevent path traversal in exportEnvironmentFile#339

Open
zerone0x wants to merge 1 commit intodagger:mainfrom
zerone0x:fix/path-traversal-exportEnvironmentFile
Open

fix: prevent path traversal in exportEnvironmentFile#339
zerone0x wants to merge 1 commit intodagger:mainfrom
zerone0x:fix/path-traversal-exportEnvironmentFile

Conversation

@zerone0x
Copy link
Copy Markdown

@zerone0x zerone0x commented Mar 26, 2026

Summary

  • Fixes a path traversal vulnerability in exportEnvironmentFile where user-controlled target_file paths containing .. sequences could write files outside the worktree directory on the host filesystem
  • Adds a boundary check using filepath.Rel after filepath.Join to ensure the resolved path stays within the worktree

Fixes #337

Test plan

  • Verified go build ./... compiles successfully
  • Verified go test -short ./... passes (2 pre-existing failures in TestSelectiveFileStaging unrelated to this change)
  • Paths like ../../.bashrc are rejected with "path traversal detected" error
  • Normal relative paths like src/main.go continue to work as expected

@zerone0x @claude
fix: prevent path traversal in exportEnvironmentFile
063e28f 
Add boundary check after filepath.Join to ensure the resolved file path
stays within the worktree directory. Without this validation, a malicious
target_file like "../../.bashrc" could write files outside the worktree
on the host filesystem via the environment_file_write MCP tool.

Fixes dagger#337

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: Path traversal in exportEnvironmentFile allows writing files outside the worktree

1 participant

@zerone0x