Skip to content

chore: sync core lib and CLAUDE.md from agent-core#31

Merged
avifenesh merged 1 commit into
mainfrom
chore/sync-core-sync-docs-20260426-152018
Apr 26, 2026
Merged

chore: sync core lib and CLAUDE.md from agent-core#31
avifenesh merged 1 commit into
mainfrom
chore/sync-core-sync-docs-20260426-152018

Conversation

@avifenesh
Copy link
Copy Markdown
Contributor

@avifenesh avifenesh commented Apr 26, 2026
edited by cursor Bot
Loading

Automated sync of lib/ and CLAUDE.md from agent-core.

Note

Medium Risk
Adds symlink refusal checks around auto-fix backup/write and backup-restore operations, which changes filesystem behavior and could cause fixes/restores to error on repos that previously used symlinks. Risk is limited to the fixer tooling but touches write paths and backup handling.

Overview
Hardens the auto-fix workflow in lib/enhance/fixer.js by introducing assertNotSymlink and using it to refuse reading from or writing to symlinked paths.

applyFixes now checks the target file before reading, checks the .backup path before creating backups, and re-checks the target immediately before writing to narrow TOCTOU symlink-swap attacks; restoreFromBackup similarly refuses symlinks for both backup and restore targets. The helper is also exported for reuse.

Reviewed by Cursor Bugbot for commit 32858df. Configure here.

@gemini-code-assist
Copy link
Copy Markdown
Contributor

gemini-code-assist Bot commented Apr 26, 2026

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

cursor[bot]
cursor Bot reviewed Apr 26, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 32858df. Configure here.

Comment thread lib/enhance/fixer.js
if (backup) {
const backupPath = `${filePath}.backup`;
// Refuse if the backup slot itself is a pre-existing symlink.
assertNotSymlink(backupPath);
Copy link
Copy Markdown

@cursor cursor Bot Apr 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing TOCTOU re-check before backup file write

Low Severity

The backupPath write at fs.writeFileSync(backupPath, content, 'utf8') only gets a single assertNotSymlink check before it, with no immediate re-check before the write. In contrast, the main filePath write has an explicit re-check pattern to narrow the TOCTOU window. In the hostile-repo threat model, content (original file content) is attacker-controlled, so a race swapping backupPath for a symlink between check and write poses the same risk the re-check mitigates for filePath.

Additional Locations (1)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 32858df. Configure here.

@avifenesh avifenesh merged commit 961f5e6 into main Apr 26, 2026
7 checks passed
@avifenesh avifenesh deleted the chore/sync-core-sync-docs-20260426-152018 branch April 26, 2026 15:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@avifenesh