zsp/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-06-11 18:53:11 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(hooks): address coderabbit review — use lstatSync for symlink paths

Browse Source 
CodeRabbit major on PR #1898: fs.statSync follows symlinks, so a dangling
protected symlink (e.g. .eslintrc.js pointing at a missing target) would
throw ENOENT and be treated as absent — letting an agent "replace" the
symlink and bypass the protection.

Swap statSync for lstatSync. lstat reports the link node itself regardless
of whether its target exists, so protected entries that happen to be
symlinks stay blocked. ENOENT handling is unchanged: only a genuinely
missing path (no link, no file, no directory) counts as absent.

Add a regression test that creates a dangling symlink at .eslintrc.js and
verifies the hook still blocks Write. Skips cleanly on platforms/sandboxes
that disallow symlink creation (EPERM/EACCES).
This commit is contained in:
gaurav0107
2026-05-15 01:09:43 +05:30
parent a8fe098c88
commit 7145ca9dfe
2 changed files with 54 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
scripts/hooks/config-protection.js
View File

@@ -100,15 +100,17 @@ function run(inputOrRaw, options = {}) {
// config file in a project that has none is a legitimate bootstrap
// path (e.g. scaffolding ESLint into a fresh repo).
//
// Fail closed on any stat error other than ENOENT. fs.existsSync would
// swallow EACCES/EPERM and return false, which would let an agent
// overwrite a file whose parent directory we cannot traverse. statSync
// exposes the error code explicitly so we can treat only genuine
// "file not found" as absent.
// Fail closed on any stat error other than ENOENT. Use lstatSync so a
// symlink at the protected path is treated as present even if its target
// is missing — a dangling symlink at e.g. .eslintrc.js still represents
// an existing config entry that an agent should not silently replace.
// fs.existsSync would swallow EACCES/EPERM as false; lstatSync exposes
// the error code so we can treat only genuine "path not found" (ENOENT)
// as absent.
let exists = true;
try {
fs.statSync(filePath);
// stat succeeded — file exists.
fs.lstatSync(filePath);
// lstat succeeded — something (file, dir, or symlink) exists here.
} catch (err) {
if (err && err.code === 'ENOENT') {
exists = false;