fix(core): block symlink-based path escape in studio-api isSafePath

[jrusso1020]

What

Harden HyperFrames' path-traversal guards against symlink-based directory escape, on the surfaces where that's actually a vulnerability, and remove the duplicated/incomplete containment logic that let it slip through review (#465).

• packages/core/src/safePath.ts (new) — isSafePath canonicalizes with realpath (the core fix), promoted to a neutral package-root module so every layer can share one implementation. studio-api/helpers/safePath.ts re-exports it for back-compat (keeps walkDir); also exported from the core entrypoint.
• studio-api/routes/render.ts — body.composition (attacker-controlled JSON) now routed through isSafePath (raised in review).
• cli/commands/play.ts — the /composition/* server route now routed through isSafePath.
• compiler/htmlBundler.ts — both containment checks (the safePath helper + the inline CSS @import check) now use isSafePath.
• studio-api/routes/files.ts + preview.ts get the fix transparently via the shared helper.

Supersedes #465 (same vulnerability class for isSafePath, but no tests and it missed every other call site).

Why

path.resolve() collapses ./.. but does not dereference symlinks. The old checks were string prefix tests (resolved.startsWith(resolve(base) + sep)):

• ../../etc/passwd was already blocked (resolves outside base).
• A symlink inside the project pointing outside it (project/link -> /etc) was not — resolve(project/link/x) is still lexically under project/, so the guard passed and a downstream readFileSync/statSync/serve/inline followed the link out of the root.

The threat is a shared/cloned project carrying a pre-planted symlink: on a surface that serves or bakes file contents, that's an arbitrary-file-read primitive on the host (CWE-59 / CWE-22).

How

isSafePath canonicalizes both sides with realpathSync before comparing, walks up to the deepest existing ancestor for not-yet-existing write targets, and fails closed if base is unresolvable. In-project symlinks that stay inside the root are still allowed — only escapes are rejected. Documented residual: TOCTOU between check and fs call (inherent; not claiming O_NOFOLLOW).

Scope — why some surfaces are fixed and others intentionally are not

A symlink-escape is a bug only where the path check is the sole boundary (no sandbox) and the surface gives an exfiltration channel. By that test:

Fixed (sole boundary + exfil path, external access never intended):

• studio-api files/preview/render and CLI play — local HTTP servers; a malicious project's own preview HTML can fetch() the symlinked path and POST it out.
• htmlBundler — inlines content into shareable self-contained HTML, and it already rejected .., so the symlink path was an accidental hole, not a feature.

Intentionally NOT changed:

• producer isPathInside family (services/fileServer.ts, services/htmlCompiler.ts, utils/paths.ts, …) — the producer deliberately supports out-of-project assets: toExternalAssetKey/hf-ext copies external files into the render sandbox, and fileServer.ts documents "keep this lexical so project symlinks to sibling asset directories behave like preview mode." Realpath-blocking there would break a feature. (Verified: the producer does not import bundleToSingleHtml, so this PR's bundler change cannot affect it.)
• engine videoFrameExtractor.resolveProjectRelativeSrc — project-relative <video src> resolution; external assets use the separate absolute-path channel. Low severity (the rendered output stays with the renderer; cloud renders are sandboxed) and the correct fix is a caller-side gate, not a resolver-internal filter. Tracked for a possible stacked follow-up depending on cloud-render isolation.
• cli/utils/renderArgs.ts — filesystem-free by design (injected stat); threat model is the user's own --composition CLI arg.

A separate stacked PR will route preview.ts/render.ts project-path resolution through the single resolveProjectPath/resolveWithinProject chokepoint, so a future route can't reintroduce this by forgetting the check — the structural root cause of why #465 missed render.ts.

Test plan

• Unit tests — safePath.test.ts (10 cases) + render.test.ts "composition path safety" (4 cases) + htmlBundler.test.ts symlink-escape case (in-project script inlined, symlinked-external not leaked). Symlink cases fail against the old code.
• @hyperframes/core (1480 tests) + @hyperframes/cli (744 tests) pass; tsc --noEmit (core + cli + engine), oxlint, oxfmt --check all clean.
• Docs — n/a (internal helpers/routes)

🤖 Generated with Claude Code

[miguel-heygen]

Missed call site — same vulnerable pattern at render.ts:83

Excellent fix and thorough test suite. The isSafePath implementation and the 10 test cases are sound. One blocker:

blocker — packages/core/src/studio-api/routes/render.ts:83 still uses the old vulnerable startsWith pattern:

const resolved = resolve(project.dir, body.composition);
if (!resolved.startsWith(resolve(project.dir) + sep)) { …

body.composition is attacker-controlled (deserialized from c.req.json()). This is the same symlink-escape class this PR closes — resolve() doesn't dereference symlinks, so a project carrying body.composition = "link/secret.hf" where link → /etc still passes this check and the path is forwarded downstream. The PR description scopes the fix to routes/files.ts and routes/preview.ts, but this third call site was missed (Rule 2: every site that satisfies the same contract must be fixed).

Fix: replace with isSafePath(project.dir, resolved):

const resolved = resolve(project.dir, body.composition);
if (!isSafePath(project.dir, resolved)) {
  return c.json({ error: "composition path must be within the project directory" }, 400);
}

And import isSafePath in render.ts.

Strengths:

• safePath.ts — clean incremental ancestor walk with correct trailing.reverse() to reassemble the final path. Fail-closed on unresolvable base is the right default.
• safePath.test.ts — covers the TOCTOU-adjacent cases (write target under symlinked parent, file symlink to outside, in-base symlink allowed, macOS /var → /private/var canonicalization). These are exactly the cases that break naive implementations.

Note: CI is still running (Test, CLI smoke, regression-shards pending). Posting now because the render.ts finding is a blocker-class security issue that can be addressed in parallel.

Verdict: REQUEST CHANGES
Reasoning: Same vulnerability class present at render.ts:83; all other changes are correct and the implementation is solid — this is a one-line fix away from approval.

— Via

[jrusso1020]

Thanks — good catch, confirmed against source and fixed in e7127cd.

render.ts:83 (blocker) — fixed. body.composition now goes through isSafePath(project.dir, resolved). Added a composition path safety block to render.test.ts: in-base allow, .. reject, in-project-symlink-to-outside reject, in-project-symlink-staying-inside allow.

I then swept every startsWith-style containment check in the repo (Rule 2). One more site is the same HTTP contract and I folded it in:

packages/cli/src/commands/play.ts:128 — fixed. The /composition/* route used filePath.startsWith(project.dir) with no trailing-separator guard, so it was actually weaker than the others — a sibling dir sharing the prefix (<projectdir>-evil) escaped in addition to symlinks. Now uses isSafePath via @hyperframes/core/studio-api (the lazy-import pattern commands/validate.ts already uses).

Two more sites carry the same class but I deliberately did not fold them into this PR — flagging for your call:

1. packages/core/src/compiler/htmlBundler.ts — the safePath helper (L24) and an inline @import containment check (L158). Same symlink-escape, and since the bundler inlines the file, an out-of-tree symlink bakes external content into the output. But compiler/ sits below studio-api/ in the dep graph (studio-api imports compiler, not vice-versa), so it can't import isSafePath without a backwards edge. The clean fix is to promote isSafePath to a neutral module both layers can share — a small refactor that touches the public export surface and the compile/regression path, so it deserves its own focused review. Happy to fold it in here if you'd prefer, or land it as an immediate fast-follow.
2. renderArgs.ts:160 and engine/.../videoFrameExtractor.ts:538 — both already have the + sep trailing guard and a local-CLI / engine-internal threat model (not remotely reachable), so lower priority; no symlink canonicalization yet.

CI was green on the prior commit; re-running now. Ready for re-review.

[jrusso1020]

Update — the htmlBundler fix landed (helper promoted to a neutral package-root module so the compiler can share it without a backwards dep on studio-api), plus a symlink-escape test. PR description rewritten to match.

I also chased the rest of the startsWith/relative()-based containment checks and want to be explicit about what I'm not touching and why, so nobody "fixes" it the wrong way later:

• producer isPathInside family (services/fileServer.ts:49, utils/paths.ts:44, compiler/assetPaths.ts:33 + callers in htmlCompiler.ts/render/shared.ts): the producer intentionally supports out-of-project assets — toExternalAssetKey/hf-ext copies them into the sandbox, and fileServer.ts:600 literally says "keep this lexical so project symlinks to sibling asset directories behave like preview mode." Switching those to realpath would break that feature. (And bundleToSingleHtml is never imported by the producer, so this PR's bundler change can't reach it.)
• engine videoFrameExtractor.resolveProjectRelativeSrc: low severity (output stays with the renderer; cloud is sandboxed), and a resolver-internal filter is defeated by its ?? join(baseDir, cleanSrc) fallback — the correct fix is a caller-side gate in extractAllVideoFrames. Holding it pending whether cloud renders are per-tenant isolated; happy to do it as a stacked PR if you want the belt-and-suspenders.
• cli/utils/renderArgs.ts: filesystem-free by design (injected stat); threat model is the user's own CLI arg. Left as-is.

One thing worth your eyes: this makes studio-api/play/bundler reject in-project symlinks that escape the root, while the producer allows them by design. That divergence is intentional (different trust contexts — serve-to-client vs. sandboxed copy-in), but if symlinking an external shared-asset dir into a project and previewing it is a workflow we actually support, this changes that behavior on the studio surface. Flagging so it's a conscious call.

Follow-up stacked PR incoming to route preview.ts/render.ts through the single path chokepoint (the structural reason #465 missed render.ts).

[miguel-heygen]

✅ All prior findings addressed

render.ts:83 blocker (mine) — Fixed. body.composition now routed through isSafePath(project.dir, resolved), import added. Four new route tests cover in-base allow, .. reject, in-project symlink escaping → reject, in-project symlink staying inside → allow. resolveProject corrected to return a real tmpdir() so realpathSync doesn't fail closed on /tmp/proj.

Windows tryCreateSymlink convention (Rames #1) — Fixed. All new symlink tests in safePath.test.ts, render.test.ts, and htmlBundler.test.ts use the tryCreateSymlink/early-return pattern.

htmlBundler parallel vuln (Rames #2) — Fixed and done cleanly: isSafePath promoted to packages/core/src/safePath.ts (neutral package-root module), compiler imports it directly without a backwards dep on studio-api. Both the safePath() wrapper and the inline CSS @import check now route through isSafePath. Symlink-escape test added.

trailing.reverse() nit (Rames #3) — Fixed: [...trailing].reverse().

CLI play.ts — Correct sweep of the same HTTP contract. Was also missing the +sep trailing-separator guard. Now uses isSafePath via lazy import (matching commands/validate.ts pattern).

CI — Test failure (projects.test.ts:85) is pre-existing on main (confirmed: same job, same file:line on the main branch run at e2cc134c). The #1400 unblocker is the fix; not caused by this PR.

---

One nit (not a blocker): htmlBundler.test.ts — security marker mismatch

The test file written to disk is:

writeFileSync(join(external, "secret.js"), `window.__HF_SECRET__="SECRET...AKED";`);

But the assertion checks:

expect(bundled).not.toContain("SECRET_MARKER_LEAKED");

"SECRET_MARKER_LEAKED" never appears anywhere in the bundle — the string written is "SECRET...AKED". The negative assertion is always trivially true regardless of whether the symlink escape is blocked. The positive control (LOCAL_MARKER_INLINED) is fine. Quick fix: change the file content to use "SECRET_MARKER_LEAKED" as the literal string, or change the assertion to not.toContain("SECRET...AKED").

---

Strengths:

• Promotion to a package-root module is the right structural call. compiler/ sitting below studio-api/ in the dep graph made the backwards-import problem real; this resolves it cleanly.
• The isSafePath algorithm (ancestor-walk + realpath + fail-closed on unresolvable base) is sound. The [...trailing].reverse() defensive copy is good practice.
• The intentional-not-fixed scope (producer lexical-symlink feature, engine, renderArgs.ts) is well-documented with rationale in both the PR body and inline comments.

Verdict: APPROVE
Reasoning: All blockers and nits from prior rounds addressed. Remaining item is a minor test marker mismatch (trivially-true negative assertion) that doesn't affect correctness of the fix — the guard works, the positive control confirms the bundler ran. Happy to see it fixed in #1398 or a fast-follow.

— Via