Merge pull request #61 from 0xbyt4/fix/write-deny-macos-symlink

fix: resolve symlink bypass in write deny list on macOS
2026-04-25 00:51:20 +00:00 · 2026-02-27 01:32:19 -08:00 · 2026-02-27 01:32:19 -08:00 · 0909be3aa8
commit 0909be3aa8
parent 274e623b50 2efd9bbac4
2 changed files with 110 additions and 23 deletions
--- a/tools/file_operations.py
+++ b/tools/file_operations.py
@ -42,32 +42,36 @@ from pathlib import Path
 _HOME = str(Path.home())

 WRITE_DENIED_PATHS = {
-    os.path.join(_HOME, ".ssh", "authorized_keys"),
-    os.path.join(_HOME, ".ssh", "id_rsa"),
-    os.path.join(_HOME, ".ssh", "id_ed25519"),
-    os.path.join(_HOME, ".ssh", "config"),
-    os.path.join(_HOME, ".hermes", ".env"),
-    os.path.join(_HOME, ".bashrc"),
-    os.path.join(_HOME, ".zshrc"),
-    os.path.join(_HOME, ".profile"),
-    os.path.join(_HOME, ".bash_profile"),
-    os.path.join(_HOME, ".zprofile"),
-    os.path.join(_HOME, ".netrc"),
-    os.path.join(_HOME, ".pgpass"),
-    os.path.join(_HOME, ".npmrc"),
-    os.path.join(_HOME, ".pypirc"),
-    "/etc/sudoers",
-    "/etc/passwd",
-    "/etc/shadow",
+    os.path.realpath(p) for p in [
+        os.path.join(_HOME, ".ssh", "authorized_keys"),
+        os.path.join(_HOME, ".ssh", "id_rsa"),
+        os.path.join(_HOME, ".ssh", "id_ed25519"),
+        os.path.join(_HOME, ".ssh", "config"),
+        os.path.join(_HOME, ".hermes", ".env"),
+        os.path.join(_HOME, ".bashrc"),
+        os.path.join(_HOME, ".zshrc"),
+        os.path.join(_HOME, ".profile"),
+        os.path.join(_HOME, ".bash_profile"),
+        os.path.join(_HOME, ".zprofile"),
+        os.path.join(_HOME, ".netrc"),
+        os.path.join(_HOME, ".pgpass"),
+        os.path.join(_HOME, ".npmrc"),
+        os.path.join(_HOME, ".pypirc"),
+        "/etc/sudoers",
+        "/etc/passwd",
+        "/etc/shadow",
+    ]
 }

 WRITE_DENIED_PREFIXES = [
-    os.path.join(_HOME, ".ssh") + os.sep,
-    os.path.join(_HOME, ".aws") + os.sep,
-    os.path.join(_HOME, ".gnupg") + os.sep,
-    os.path.join(_HOME, ".kube") + os.sep,
-    "/etc/sudoers.d" + os.sep,
-    "/etc/systemd" + os.sep,
+    os.path.realpath(p) + os.sep for p in [
+        os.path.join(_HOME, ".ssh"),
+        os.path.join(_HOME, ".aws"),
+        os.path.join(_HOME, ".gnupg"),
+        os.path.join(_HOME, ".kube"),
+        "/etc/sudoers.d",
+        "/etc/systemd",
+    ]
 ]