Skip to content

Python Symlink escape is not prevented #1031

New issue
New issue
Open
Open
Python Symlink escape is not prevented#1031
Labels
bugSomething isn't working
@Richard-Barrett

Description

@Richard-Barrett
Richard-Barrett
opened on Jan 16, 2026

Describe the bug

Bug 3: Symlink escape is not prevented

Description

Even if the path string passes validation, the code does not protect against symlinks that point outside the working directory.

Impact

  • A symlinked requirements file could allow reading or overwriting files outside the repository.
  • Potential security risk in CI environments.

Suggested Fix

Resolve and validate real paths using filepath.EvalSymlinks() before reading or writing.

Current behavior

If the target file path is a symlink, the code follows it without verifying where it resolves to. Even if the symlink points outside the repository, the file is still read or written.

Reproduction steps

Run As Is

Expected behavior

If the requirements/descriptor file is a symlink, Frogbot should:

Resolve the symlink target (realpath) and

Ensure the resolved target is still within the workspace.
If it points outside, the operation should be rejected with a clear error.

JFrog Frogbot version

LATEST

Package manager info

Python

Git provider

GitHub

JFrog Frogbot configuration yaml file

Default

Operating system type and version

ALL

JFrog Xray version

LATEST

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions