Skip to content

Replace securejoin.SecureJoin with handle-based pathrs APIs to eliminate TOCTOU#10

Draft
Copilot wants to merge 6 commits intomasterfrom
copilot/refactor-to-securejoin-methods
Draft

Replace securejoin.SecureJoin with handle-based pathrs APIs to eliminate TOCTOU#10
Copilot wants to merge 6 commits intomasterfrom
copilot/refactor-to-securejoin-methods

Conversation

Copy link

Copilot AI commented Feb 13, 2026
edited
Loading

  • Use pathrs TOCTOU-safe APIs (MkdirAllHandle, OpenatInRoot, Reopen) on Linux
  • Provide cross-platform fallback using securejoin.SecureJoin for macOS/Windows
  • Split into platform-specific files (unzip_linux.go, unzip_other.go)
  • Shared writeExtractedFile helper in gozip.go
  • All 3 tests pass on Linux
  • Cross-compiles successfully for macOS and Windows
  • CodeQL: 0 alerts

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 2 commits February 13, 2026 11:45
@sanderhahn
Refactor to use pathrs.MkdirAll for TOCTOU-safe directory creation an…
cb27733 
…d securejoin.SecureJoin for file paths

Co-authored-by: sanderhahn <775103+sanderhahn@users.noreply.github.com>
@sanderhahn
Remove test artifact poc.txt and add .gitignore for test artifacts
ac1dc4d 
Co-authored-by: sanderhahn <775103+sanderhahn@users.noreply.github.com>
Copilot AI changed the title [WIP] Refactor to use cyphar/filepath-securejoin for TOCTOU safety Replace TOCTOU-vulnerable os.MkdirAll with pathrs.MkdirAll from filepath-securejoin Feb 13, 2026
Copilot AI requested a review from sanderhahn February 13, 2026 11:47
Copilot AI and others added 2 commits February 13, 2026 11:56
@sanderhahn
Replace securejoin.SecureJoin with pathrs OpenatInRoot/Reopen/MkdirAl…
a667841 
…lHandle for TOCTOU safety

Co-authored-by: sanderhahn <775103+sanderhahn@users.noreply.github.com>
@sanderhahn
Address code review: deduplicate procfs path, add Linux/procfs comment
8208186 
Co-authored-by: sanderhahn <775103+sanderhahn@users.noreply.github.com>
Copilot AI changed the title Replace TOCTOU-vulnerable os.MkdirAll with pathrs.MkdirAll from filepath-securejoin Replace securejoin.SecureJoin with handle-based pathrs APIs to eliminate TOCTOU Feb 13, 2026
sanderhahn
sanderhahn reviewed Feb 13, 2026
View reviewed changes
gozip.go Outdated
}
defer dirHandle.Close()

filePath := fmt.Sprintf("/proc/self/fd/%d/%s", dirHandle.Fd(), baseName)
Copy link
Owner

@sanderhahn sanderhahn Feb 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is Linux specific. Can you ensure that the code runs on all systems?

Copy link
Owner

@sanderhahn sanderhahn Feb 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot please address this issue

Copy link
Author

Copilot AI Feb 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Split the implementation into platform-specific files in c3e887e:

  • unzip_linux.go (//go:build linux): uses TOCTOU-safe pathrs APIs (MkdirAllHandle, OpenatInRoot, Reopen)
  • unzip_other.go (//go:build !linux): falls back to securejoin.SecureJoin for macOS/Windows/others
  • gozip.go: shared writeExtractedFile helper

Verified cross-compilation succeeds for GOOS=darwin and GOOS=windows.

@sanderhahn
Split Unzip into platform-specific files for cross-platform support
c3e887e 
- unzip_linux.go: TOCTOU-safe pathrs APIs (MkdirAllHandle, OpenatInRoot, Reopen)
- unzip_other.go: securejoin.SecureJoin fallback for macOS/Windows/others
- gozip.go: shared writeExtractedFile helper

Co-authored-by: sanderhahn <775103+sanderhahn@users.noreply.github.com>
Copilot AI requested a review from sanderhahn February 13, 2026 12:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sanderhahn sanderhahn Awaiting requested review from sanderhahn

At least 0 approving reviews are required to merge this pull request.

Assignees

@sanderhahn sanderhahn

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sanderhahn