🔒 SECURITY: Prevent symlink attacks during installation

[dean0x]

Security Issue: Symlink Attack Vulnerability

Severity: MEDIUM
Priority: HIGH
Category: File System Security

Problem

The installation process doesn't verify that paths are real directories and not symlinks to attacker-controlled locations.

Attack Vector:

# Attacker creates symlink before installation
ln -s /tmp/malicious ~/.devflow
npx devflow-kit init
# Now executing attacker's scripts

Impact

• Code execution via malicious scripts
• Settings.json points to attacker-controlled path
• Silent compromise (no user notification)

Solution

Use fs.realpath() to resolve symlinks and validate paths:

async function installScripts() {
  const devflowScriptsDir = path.join(devflowDir, 'scripts');
  
  // Create directory
  await fs.mkdir(devflowScriptsDir, { recursive: true });
  
  // Resolve symlinks to get real path
  const realScriptsDir = await fs.realpath(devflowScriptsDir);
  
  // Verify it's under expected location
  const expectedDir = path.join(getHomeDirectory(), '.devflow', 'scripts');
  if (realScriptsDir !== expectedDir) {
    throw new Error(`Security: Script directory is a symlink to ${realScriptsDir}`);
  }
  
  // Proceed with installation
  await copyDirectory(scriptsSource, realScriptsDir);
}

Files to Modify

• src/cli/commands/init.ts (script installation section)
• Add realpath verification before copying files

Acceptance Criteria

• All installation paths verified with fs.realpath()
• Error thrown if symlink points outside expected directory
• User notification if symlink attack detected
• Test coverage for symlink scenarios
• Documentation updated with security notes

Related Issues

• 🔒 SECURITY: Validate DEVFLOW_DIR environment variable #5 (DEVFLOW_DIR validation)
• #TBD (Script integrity verification)