Skip to content

fix(#2032): suppress macOS AppleDouble files in sandbox uploads#2040

Merged
rh-hemartin merged 1 commit into
mainfrom
agent/2032-macos-tar-appledouble
Jun 9, 2026
Merged

fix(#2032): suppress macOS AppleDouble files in sandbox uploads#2040
rh-hemartin merged 1 commit into
mainfrom
agent/2032-macos-tar-appledouble

Conversation

@fullsend-ai-coder

Copy link
Copy Markdown
Contributor

On macOS, bsdtar generates .* companion files for any file with extended attributes (com.apple.quarantine, etc.). When UploadDir creates a tarball without suppressing this behavior, .* files get baked into the archive. After the sandbox round-trip, these files land in .git/objects/pack/ and corrupt the git repository when git tries to parse them as pack indices.

Changes:

  • UploadDir: set COPYFILE_DISABLE=1 in the tar command environment
    to prevent bsdtar from generating AppleDouble files. This env var
    is a no-op on Linux.
  • sanitizeDownload: remove ._* files inside .git/ directories as a
    defense-in-depth measure, catching any AppleDouble files that
    arrive via other transfer paths.
  • Add inGitDir helper to check if a path is inside a .git directory.
  • Add tests: fake-tar env capture for COPYFILE_DISABLE, AppleDouble
    removal in sanitizeDownload, and inGitDir unit tests.

Note: pre-commit could not run (gitleaks Go install failed due to sandbox permission issues on /sandbox/go/pkg/mod/cache). go vet and go test passed.


Closes #2032

Post-script verification

  • Branch is not main/master (agent/2032-macos-tar-appledouble)
  • Secret scan passed (gitleaks — 4cd660565f8abfc3bd1f0f697488a2e8e408101f..HEAD)
  • Pre-commit hooks passed (authoritative run on runner)
  • Tests ran inside sandbox

On macOS, bsdtar generates ._* companion files for any file with
extended attributes (com.apple.quarantine, etc.). When UploadDir
creates a tarball without suppressing this behavior, ._* files get
baked into the archive. After the sandbox round-trip, these files
land in .git/objects/pack/ and corrupt the git repository when git
tries to parse them as pack indices.

Changes:
- UploadDir: set COPYFILE_DISABLE=1 in the tar command environment
  to prevent bsdtar from generating AppleDouble files. This env var
  is a no-op on Linux.
- sanitizeDownload: remove ._* files inside .git/ directories as a
  defense-in-depth measure, catching any AppleDouble files that
  arrive via other transfer paths.
- Add inGitDir helper to check if a path is inside a .git directory.
- Add tests: fake-tar env capture for COPYFILE_DISABLE, AppleDouble
  removal in sanitizeDownload, and inGitDir unit tests.

Note: pre-commit could not run (gitleaks Go install failed due to
sandbox permission issues on /sandbox/go/pkg/mod/cache). go vet and
go test passed.

Closes #2032
@github-actions

github-actions Bot commented Jun 8, 2026

Copy link
Copy Markdown

Site preview

Preview: https://1bb6b81b-site.fullsend-ai.workers.dev

Commit: 58cc44399e41698774bb940fb950bb392ad8d911

@fullsend-ai-review

Copy link
Copy Markdown

🤖 Review · Started 6:15 PM UTC
Commit: d0ac11b · View workflow run →

@fullsend-ai-review

Copy link
Copy Markdown

Review

Findings

Low

  • [naming-convention] internal/sandbox/sandbox.go:32 — The sanitizeDownload function lacks a doc comment, unlike other private helpers in this file (buildProviderArgs, effectiveReadyTimeout, createOnce, collectPodmanLogs). This is pre-existing and not introduced by this PR, but worth addressing for consistency.
    Remediation: Add a doc comment to sanitizeDownload describing its purpose (removing dangerous symlinks, .git/hooks/, and AppleDouble files from downloaded sandbox content).

Info

  • [no-issues] The new code is clean: COPYFILE_DISABLE=1 correctly suppresses macOS bsdtar AppleDouble file generation, and the defense-in-depth ._* removal in sanitizeDownload is properly scoped to .git/ directories. The inGitDir helper is well-tested with 5 unit test cases, and TestSanitizeDownload_RemovesAppleDoubleInGitDir validates both removal inside .git/ and preservation outside it. No correctness, security, or intent concerns found.

@fullsend-ai-review fullsend-ai-review Bot added the ready-for-merge All reviewers approved — ready to merge label Jun 8, 2026
@fullsend-ai-review

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 6:15 PM UTC · Completed 6:20 PM UTC
Commit: d0ac11b · View workflow run →

@rh-hemartin rh-hemartin added this pull request to the merge queue Jun 9, 2026
Merged via the queue into main with commit e44bae7 Jun 9, 2026
12 checks passed
@rh-hemartin rh-hemartin deleted the agent/2032-macos-tar-appledouble branch June 9, 2026 08:43
@fullsend-ai-retro

fullsend-ai-retro Bot commented Jun 9, 2026

Copy link
Copy Markdown

🤖 Finished Retro · ✅ Success · Started 8:46 AM UTC · Completed 8:51 AM UTC
Commit: ba204cb · View workflow run →

@fullsend-ai-retro

Copy link
Copy Markdown

Retro: PR #2040 — suppress macOS AppleDouble files in sandbox uploads

Workflow quality: Excellent. This was a clean, single-iteration workflow with no rework.

Timeline

  1. Issue macOS tar includes ._* AppleDouble files in UploadDir, corrupting .git on round-trip #2032 filed for macOS AppleDouble files corrupting git in sandbox uploads
  2. Code agent produced PR fix(#2032): suppress macOS AppleDouble files in sandbox uploads #2040 with a single well-structured commit (2026-06-08 18:11 UTC)
  3. Review agent ran in ~5 minutes, approved with 1 Low (pre-existing missing doc comment) and 1 Info (code is clean)
  4. Human approved ~14h later without comments
  5. PR merged, all CI passed

Assessment

  • Review quality: Good. The review correctly identified no issues with the new code and appropriately flagged a pre-existing doc comment gap as Low severity.
  • Rework rate: Zero — code agent got it right on the first attempt.
  • Token cost: Reasonable — single code pass, single review pass, no fix cycles.
  • Time to resolution: ~14.5h open-to-merge, dominated by human review scheduling (not agent performance).

Existing coverage

The one minor observation — the review agent using APPROVE verdict when findings are only pre-existing or informational — is already tracked by #2057. No new proposals warranted.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ready-for-merge All reviewers approved — ready to merge

Projects

None yet

Development

Successfully merging this pull request may close these issues.

macOS tar includes ._* AppleDouble files in UploadDir, corrupting .git on round-trip

1 participant