Harden --prompt-file against paths outside the working directory#289
Open
lohengrin332 wants to merge 1 commit intoopenai:mainfrom
Open
Harden --prompt-file against paths outside the working directory#289lohengrin332 wants to merge 1 commit intoopenai:mainfrom
--prompt-file against paths outside the working directory#289lohengrin332 wants to merge 1 commit intoopenai:mainfrom
Conversation
Previously, `--prompt-file <path>` accepted any user-readable file on the filesystem, including symlinks pointing outside cwd. The file contents are forwarded to OpenAI as a Codex task prompt, so a mistakenly or maliciously composed `--prompt-file ~/.ssh/id_rsa` would exfiltrate that file. This is not exploitable in normal single-user CLI use, but it is a defense-in-depth gap under prompt-injection-adjacent threat models where Claude itself might compose hostile arguments. Resolve symlinks via realpathSync and reject any --prompt-file that does not live under the realpath of cwd. Add coverage for relative escapes, absolute paths outside cwd, and symlinks that point outside. Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is a defense-in-depth hardening PR, not a CVE. There is no remotely exploitable bug here in normal use of the plugin.
The behavior I'm changing:
codex-companion.mjs task --prompt-file <path>currently doesfs.readFileSync(path.resolve(cwd, value), "utf8")with no containment check. The file's contents are then forwarded to OpenAI as the Codex task prompt.Why I think it's worth tightening: under prompt-injection-adjacent threat models — where Claude itself might be steered into composing slash command arguments — a path like
--prompt-file ~/.ssh/id_rsaor a symlinked sibling file would exfiltrate user secrets to OpenAI. Constraining the resolved path (after symlink resolution) to live undercwdremoves that capability without affecting any documented or supported usage.Changes:
readTaskPrompttolib/task-prompt.mjsso it can be unit-tested directly. (Open to inlining instead if you'd prefer fewer files.)fs.realpathSyncbefore the containment check.realpath(cwd).tests/task-prompt.test.mjswith coverage for: happy paths (relative + absolute inside cwd), relative escape, absolute outside, symlink-out-of-cwd, and the no-prompt-file positional fallback.No changes to documented behavior or any pre-existing test. Happy to adjust the error message format, the file-vs-inline factoring, or the exact set of cases covered.