Skip to content

feat(plugins): Add universal plugin support#113

Open
dcramer wants to merge 35 commits into
mainfrom
codex/add-plugin-support
Open

feat(plugins): Add universal plugin support#113
dcramer wants to merge 35 commits into
mainfrom
codex/add-plugin-support

test(dotagents): Cover missing plugin source roots

b61ec32
Select commit
Loading
Failed to load commit list.
@sentry/warden / warden: security-review completed Jul 7, 2026 in 0s

1 issue

security-review: Found 1 issue (1 medium)

Medium

Plugin bundle symlinks escape containment and expose arbitrary host files to AI agents - `packages/dotagents/src/plugins/runtime/writer.ts:91-92`

A third-party plugin (e.g. a git-sourced bundle) can include a symlink such as agents/evil.md -> ../../../../../etc/passwd or -> /proc/self/environ; installPluginBundle copies it verbatim (cp defaults to dereference:false) and writeComponentProjections links .opencode/agents/evil.md to it without a realpath boundary check, so agents reading the projected component follow the chain out of the plugin root to arbitrary host files. Dereference/realpath containment should be enforced on plugin component files during install and projection.

Also found at:

  • packages/dotagents/src/plugins/store.ts:171

⏱ 10m 30s · 3.1M in / 80.5k out · $4.80

Annotations

Check warning on line 92 in packages/dotagents/src/plugins/runtime/writer.ts

See this annotation in the file changed.

@sentry-warden sentry-warden / warden: security-review

Plugin bundle symlinks escape containment and expose arbitrary host files to AI agents

A third-party plugin (e.g. a git-sourced bundle) can include a symlink such as `agents/evil.md -> ../../../../../etc/passwd` or `-> /proc/self/environ`; `installPluginBundle` copies it verbatim (cp defaults to `dereference:false`) and `writeComponentProjections` links `.opencode/agents/evil.md` to it without a realpath boundary check, so agents reading the projected component follow the chain out of the plugin root to arbitrary host files. Dereference/realpath containment should be enforced on plugin component files during install and projection.

Check warning on line 171 in packages/dotagents/src/plugins/store.ts

See this annotation in the file changed.

@sentry-warden sentry-warden / warden: security-review

[EPX-SL3] Plugin bundle symlinks escape containment and expose arbitrary host files to AI agents (additional location)

A third-party plugin (e.g. a git-sourced bundle) can include a symlink such as `agents/evil.md -> ../../../../../etc/passwd` or `-> /proc/self/environ`; `installPluginBundle` copies it verbatim (cp defaults to `dereference:false`) and `writeComponentProjections` links `.opencode/agents/evil.md` to it without a realpath boundary check, so agents reading the projected component follow the chain out of the plugin root to arbitrary host files. Dereference/realpath containment should be enforced on plugin component files during install and projection.