🔒 SECURITY: Prevent symlink attacks during installation #6
Description
Security Issue: Symlink Attack Vulnerability
Severity: MEDIUM
Priority: HIGH
Category: File System Security
Problem
The installation process doesn't verify that paths are real directories and not symlinks to attacker-controlled locations.
Attack Vector:
# Attacker creates symlink before installation
ln -s /tmp/malicious ~/.devflow
npx devflow-kit init
# Now executing attacker's scriptsImpact
- Code execution via malicious scripts
- Settings.json points to attacker-controlled path
- Silent compromise (no user notification)
Solution
Use fs.realpath() to resolve symlinks and validate paths:
async function installScripts() {
const devflowScriptsDir = path.join(devflowDir, 'scripts');
// Create directory
await fs.mkdir(devflowScriptsDir, { recursive: true });
// Resolve symlinks to get real path
const realScriptsDir = await fs.realpath(devflowScriptsDir);
// Verify it's under expected location
const expectedDir = path.join(getHomeDirectory(), '.devflow', 'scripts');
if (realScriptsDir !== expectedDir) {
throw new Error(`Security: Script directory is a symlink to ${realScriptsDir}`);
}
// Proceed with installation
await copyDirectory(scriptsSource, realScriptsDir);
}Files to Modify
src/cli/commands/init.ts(script installation section)- Add realpath verification before copying files
Acceptance Criteria
- All installation paths verified with
fs.realpath() - Error thrown if symlink points outside expected directory
- User notification if symlink attack detected
- Test coverage for symlink scenarios
- Documentation updated with security notes
Related Issues
- 🔒 SECURITY: Validate DEVFLOW_DIR environment variable #5 (DEVFLOW_DIR validation)
- #TBD (Script integrity verification)