Follow-up to #913. Surfaced by the APM Expert Review Panel (Supply Chain Security specialist). LOW severity, documented observation. CEO arbitration: tracking-only, mitigated today.
Observation
URL-encoded traversal sequences (%2e%2e) are not decoded before path validation on the cowork:// lockfile scheme. In practice this is mitigated by ensure_path_within, which resolves symlinks and performs containment check on the final absolute path — any attempt to escape the cowork root is caught at resolution time.
This issue exists to track the cleaner fix: decode the URL-encoded segment before validate_path_segments so the rejection happens at parse time, not resolution time. Belt-and-braces, not a known exploit path.
Acceptance criteria
Not in scope
Other %xx sequences beyond %2e/%2E. File a separate issue if we decide to accept arbitrary percent-decoding in lockfile paths.
/cc panel review: #913
Follow-up to #913. Surfaced by the APM Expert Review Panel (Supply Chain Security specialist). LOW severity, documented observation. CEO arbitration: tracking-only, mitigated today.
Observation
URL-encoded traversal sequences (
%2e%2e) are not decoded before path validation on thecowork://lockfile scheme. In practice this is mitigated byensure_path_within, which resolves symlinks and performs containment check on the final absolute path — any attempt to escape the cowork root is caught at resolution time.This issue exists to track the cleaner fix: decode the URL-encoded segment before
validate_path_segmentsso the rejection happens at parse time, not resolution time. Belt-and-braces, not a known exploit path.Acceptance criteria
from_lockfile_pathdecodes percent-encoded segments before callingvalidate_path_segments.cowork://skills/%2e%2e/escapeis rejected at parse time with a clear error, not silently resolved.Not in scope
Other
%xxsequences beyond%2e/%2E. File a separate issue if we decide to accept arbitrary percent-decoding in lockfile paths./cc panel review: #913