Skip to content

fix(desktop): confine snapshot file reads#60

Merged
steipete merged 1 commit into
mainfrom
fix/desktop-snapshot-confinement
Jun 19, 2026
Merged

fix(desktop): confine snapshot file reads#60
steipete merged 1 commit into
mainfrom
fix/desktop-snapshot-confinement

Conversation

@steipete

@steipete steipete commented Jun 19, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • confine Slack Desktop snapshot reads to the discovered profile root with os.Root
  • reject symlinks and special files during recursive snapshot copies
  • add regression coverage for an escaping symlink and partial-snapshot cleanup

Risk

Without confinement, a symlink inside a selected Slack cache path could make the snapshot reader copy an unrelated local file into its temporary processing tree. Snapshot destinations were already fixed; this closes the source-read escape.

Verification

  • targeted Slack Desktop tests and escaping-symlink regression
  • GOWORK=off go test -count=1 ./...
  • GOWORK=off make test
  • GOWORK=off go test -count=1 -race ./...
  • vet, formatting, deadcode, module verification, govulncheck
  • structured gosec: previous G703/high finding removed; three unchanged G204 process-launch warnings remain
  • GoReleaser snapshot and Docker build/version smoke
  • exact built CLI: doctor --json, status --json, and archive-backed search; private output suppressed
  • shared Codex autoreview: clean

@clawsweeper

clawsweeper Bot commented Jun 19, 2026

Copy link
Copy Markdown

ClawSweeper status: review started.

I am starting a fresh review of this pull request: fix(desktop): confine snapshot file reads This is item 1/1 in the current shard. Shard 0/1.

This placeholder means the worker is alive and reading the current context. I will edit this same comment with the actual review when the claws are done clicking.

Crustacean status: shell secured, claws on keyboard, evidence pebbles being sorted.

@steipete steipete merged commit eeb11f4 into main Jun 19, 2026
12 checks passed
@steipete steipete deleted the fix/desktop-snapshot-confinement branch June 19, 2026 11:11
@steipete

steipete commented Jun 19, 2026

Copy link
Copy Markdown
Collaborator Author

Landed as eeb11f4458c0613821479230437a8094e5f56561.

Proof:

  • exact-head GitHub checks passed: test, lint, dependency verification, release snapshot, Docker, CodeQL, and both secret scans
  • local gates passed: GOWORK=off go test -count=1 ./..., GOWORK=off make test, race tests, vet, deadcode, vulnerability scan, snapshot build, and Docker build
  • regression test covers an escaping Slack Desktop source symlink and partial-snapshot cleanup
  • security scan now reports zero G703/high findings; the three remaining G204 findings are unchanged baseline process-launch sites
  • exact built binary passed doctor, status, and search smoke tests with private output suppressed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@vincentkoc vincentkoc

Labels

fix other

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@steipete @vincentkoc