[GH-ISSUE #524] Cross-platform hardening: secure_open_other should avoid symlink following where possible #150

New issue

Closed

opened 2026-02-26 21:33:47 +03:00 by kerem · 3 comments

kerem commented 2026-02-26 21:33:47 +03:00

Owner

Copy link

Originally created by @rudrankriyam on GitHub (Feb 14, 2026).
Original GitHub issue: https://github.com/rudrankriyam/App-Store-Connect-CLI/issues/524

Summary

internal/cli/shared/secure_open_other.go falls back to plain os.Open/os.OpenFile on non-Unix builds, which can follow symlinks and weakens the no-follow guarantees present on Unix builds.

Why this matters

Security posture is currently platform-dependent. For report/artifact file paths, symlink behavior should be explicitly hardened or documented consistently.

Current behavior

• Unix builds: O_NOFOLLOW is used.
• Other builds: no equivalent no-follow check is applied.

Expected behavior

• Implement best-effort symlink protection on non-Unix platforms, or
• perform explicit Lstat checks + controlled open sequence, and
• clearly document any unavoidable limitations.

Detailed implementation plan

• Evaluate platform-specific no-follow capabilities.
• Add explicit symlink checks before open/create in secure_open_other.go.
• Ensure TOCTOU risk is minimized and documented.
• Add tests covering symlink path handling on non-Unix-compatible test strategy.
• Update security notes/docs for platform differences.

Acceptance criteria

• Non-Unix fallback has explicit, tested symlink-handling behavior.
• Behavior is documented and consistent with security expectations.
• Existing file write/read helpers continue to pass existing tests.

cc @cursor please implement this end-to-end.

Originally created by @rudrankriyam on GitHub (Feb 14, 2026). Original GitHub issue: https://github.com/rudrankriyam/App-Store-Connect-CLI/issues/524 ## Summary `internal/cli/shared/secure_open_other.go` falls back to plain `os.Open`/`os.OpenFile` on non-Unix builds, which can follow symlinks and weakens the no-follow guarantees present on Unix builds. ## Why this matters Security posture is currently platform-dependent. For report/artifact file paths, symlink behavior should be explicitly hardened or documented consistently. ## Current behavior - Unix builds: `O_NOFOLLOW` is used. - Other builds: no equivalent no-follow check is applied. ## Expected behavior - Implement best-effort symlink protection on non-Unix platforms, or - perform explicit `Lstat` checks + controlled open sequence, and - clearly document any unavoidable limitations. ## Detailed implementation plan - [ ] Evaluate platform-specific no-follow capabilities. - [ ] Add explicit symlink checks before open/create in `secure_open_other.go`. - [ ] Ensure TOCTOU risk is minimized and documented. - [ ] Add tests covering symlink path handling on non-Unix-compatible test strategy. - [ ] Update security notes/docs for platform differences. ## Acceptance criteria - [ ] Non-Unix fallback has explicit, tested symlink-handling behavior. - [ ] Behavior is documented and consistent with security expectations. - [ ] Existing file write/read helpers continue to pass existing tests. cc @cursor please implement this end-to-end.

kerem 2026-02-26 21:33:47 +03:00

• closed this issue
• added the
  enhancement
  label

kerem commented 2026-02-26 21:33:48 +03:00

Author

Owner

Copy link

@rudrankriyam commented on GitHub (Feb 14, 2026):

@cursor please implement this issue end-to-end using the checklist and acceptance criteria.

<!-- gh-comment-id:3900361752 --> @rudrankriyam commented on GitHub (Feb 14, 2026): @cursor please implement this issue end-to-end using the checklist and acceptance criteria.

kerem commented 2026-02-26 21:33:48 +03:00

Author

Owner

Copy link

@cursor[bot] commented on GitHub (Feb 14, 2026):

Implemented end-to-end on cursor/cross-platform-symlink-security-cd97 and pushed the changes. I replaced the non-Unix fallback’s plain open calls with a best-effort hardened flow: pre-open Lstat symlink rejection + post-open verification that the opened fd still matches the path (to detect path swaps/races), with explicit TOCTOU caveats in code comments. I wired this through internal/cli/shared/secure_open_other.go and added shared helper logic in internal/cli/shared/secure_open_best_effort.go.

I added/updated tests to satisfy the checklist:

• New coverage in internal/cli/shared/secure_open_best_effort_test.go for:
  • symlink rejection on open-existing and open-new paths
  • detection of path/fd mismatch (race/path-swap guard)
  • regular-file success paths
• Updated internal/cli/shared/junit_report_test.go symlink test to use capability-based skip (symlink not supported) instead of unconditional Windows skip, so behavior is checked consistently where symlinks are available.
• Updated docs in README.md Security section to document Unix (O_NOFOLLOW) vs non-Unix best-effort behavior and residual TOCTOU limitation.

Validation evidence (all run successfully):

• go test ./internal/cli/shared -run 'TestOpen(Existing|New)NoFollowBestEffort|TestJUnitReport_WriteRefusesSymlink|TestReadLocalizationStrings_RejectsSymlink'
• make format
• make lint
• make test
• GOOS=windows GOARCH=amd64 go test ./internal/cli/shared -c -o /tmp/shared_windows.test.exe (cross-platform build sanity for non-Unix path)
• Commits pushed:
  • aad5d95 Harden non-unix secure open with best-effort nofollow checks
  • 37d7b1a Format secure open best-effort helper

 

<!-- gh-comment-id:3900361873 --> @cursor[bot] commented on GitHub (Feb 14, 2026): Implemented end-to-end on `cursor/cross-platform-symlink-security-cd97` and pushed the changes. I replaced the non-Unix fallback’s plain open calls with a best-effort hardened flow: pre-open `Lstat` symlink rejection + post-open verification that the opened fd still matches the path (to detect path swaps/races), with explicit TOCTOU caveats in code comments. I wired this through `internal/cli/shared/secure_open_other.go` and added shared helper logic in `internal/cli/shared/secure_open_best_effort.go`. I added/updated tests to satisfy the checklist: - New coverage in `internal/cli/shared/secure_open_best_effort_test.go` for: - symlink rejection on open-existing and open-new paths - detection of path/fd mismatch (race/path-swap guard) - regular-file success paths - Updated `internal/cli/shared/junit_report_test.go` symlink test to use capability-based skip (`symlink not supported`) instead of unconditional Windows skip, so behavior is checked consistently where symlinks are available. - Updated docs in `README.md` Security section to document Unix (`O_NOFOLLOW`) vs non-Unix best-effort behavior and residual TOCTOU limitation. Validation evidence (all run successfully): - `go test ./internal/cli/shared -run 'TestOpen(Existing|New)NoFollowBestEffort|TestJUnitReport_WriteRefusesSymlink|TestReadLocalizationStrings_RejectsSymlink'` - `make format` - `make lint` - `make test` - `GOOS=windows GOARCH=amd64 go test ./internal/cli/shared -c -o /tmp/shared_windows.test.exe` (cross-platform build sanity for non-Unix path) - Commits pushed: - `aad5d95` Harden non-unix secure open with best-effort nofollow checks - `37d7b1a` Format secure open best-effort helper <p><a href="https://github.com/rudrankriyam/App-Store-Connect-CLI/pull/532"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/view-pr-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/view-pr-light.png"><img alt="View PR" width="86" height="28" src="https://cursor.com/assets/images/view-pr-light.png"></picture></a></p> <p><a href="https://cursor.com/background-agent?bcId=bc-856d6e41-eefa-4d77-b57c-0afd9af403c6"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a>&nbsp;<a href="https://cursor.com/agents?id=bc-856d6e41-eefa-4d77-b57c-0afd9af403c6"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a></p>

kerem commented 2026-02-26 21:33:48 +03:00

Author

Owner

Copy link

@rudrankriyam commented on GitHub (Feb 14, 2026):

Fixed in #532 (merged to main).

<!-- gh-comment-id:3900689610 --> @rudrankriyam commented on GitHub (Feb 14, 2026): Fixed in #532 (merged to main).

kerem referenced this issue 2026-02-26 21:34:36 +03:00

[PR #150] [MERGED] Builds upload wait timeout #329

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

1.2.6

1.2.5

1.2.4

1.2.3

1.2.2

1.2.1

1.2.0

1.1.1

1.1.0

1.0.1

1.0.0

0.49.1

0.49.0

0.48.1

0.48.0

0.47.1

0.47.0

0.46.2

0.46.1

0.46.0

0.45.4

0.45.3

0.45.2

0.45.1

0.45.0

0.44.2

0.44.1

0.44.0

0.43.0

0.42.0

0.41.4

0.41.3

0.41.2

0.41.1

0.41.0

0.40.1

0.40.0

0.39.1

0.39.0

0.38.3

0.38.2

0.38.1

0.38.0

0.37.3

0.37.2

0.37.1

0.37.0

0.36.3

0.36.2

0.36.1

0.36.0

0.35.3

0.35.2

0.35.1

0.35.0

0.34.1

0.34.0

0.33.2

0.33.1

0.33.0

0.32.0

0.31.3

0.31.2

0.31.1

0.31.0

0.30.0

0.29.3

0.29.2

0.29.1

0.29.0

0.28.14

0.28.13

0.28.12

0.28.11

0.28.10

0.28.9

0.28.8

0.28.7

0.28.6

0.28.5

0.28.4

0.28.3

0.28.2

0.28.1

0.28.0

0.27.0

0.26.4

0.26.3

0.26.2

0.26.1

0.26.0

0.25.4

0.25.3

0.25.1

0.25.0

0.24.3

0.24.2

0.24.1

0.24.0

0.23.5

0.23.4

0.23.3

0.23.2

0.23.1

0.23.0

0.22.1

0.22.0

0.21.0

0.20.2

0.20.1

0.20.0

0.19.3

0.19.2

0.19.1

0.19.0

0.18.2

0.18.1

0.18.0

0.17.0

0.16.0

0.15.0

0.14.0

0.13.0

0.12.4

0.12.3

0.12.2

0.12.1

0.12.0

0.11.0

0.10.2

0.10.1

0.10.0

0.9.0

0.8.1

0.8.0

0.7.0

0.6.0

0.5.0

0.3.1

0.3.0

0.2.0

0.1.6

0.1.5

0.1.4

0.1.3

0.1.2

0.1.1

0.1.0

Labels

Clear labels   

bug

  

bug

  

documentation

  

enhancement

  

pull-request

Mirrored from GitHub Pull Request

No labels

bug

bug

documentation

enhancement

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/App-Store-Connect-CLI#150

No description provided.