fix(session): prevent symlink attacks in FileSessionManager#2937
Open
manus-use wants to merge 1 commit into
Open
fix(session): prevent symlink attacks in FileSessionManager#2937manus-use wants to merge 1 commit into
manus-use wants to merge 1 commit into
Conversation
The FileSessionManager defaulted to storing session data in /tmp/strands/sessions/ (a world-writable directory) using predictable .tmp file paths that follow symlinks. A local attacker could exploit this for: - Arbitrary file overwrite via symlink at the .tmp path - Persistent prompt injection via session data tampering Changes: - Default storage directory moved from /tmp/ to ~/.strands/sessions/ (user-private, respects XDG_DATA_HOME on Linux) - _write_file() now uses tempfile.mkstemp() for unpredictable temp names - Both _read_file() and _write_file() refuse to follow symlinks - All directory creation uses mode=0o700 (owner-only) - Temp files are cleaned up on write failure Fixes GHSA-3w55-933p-8pv5
github-actions
Bot
added
size/m
area-persistence
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes a local privilege escalation vulnerability (GHSA-3w55-933p-8pv5) in
FileSessionManagerwhere the default use of/tmp/strands/sessions/with predictable.tmpfile paths enables symlink attacks and session data injection.Changes
Secure default storage directory — Changed from
/tmp/strands/sessions/to~/.strands/sessions/(user-private). Respects$XDG_DATA_HOMEon Linux and%LOCALAPPDATA%on Windows.Unpredictable temp files — Replaced
f"{path}.tmp"withtempfile.mkstemp()which generates cryptographically random filenames, eliminating the predictable write target.Symlink protection — Both
_read_file()and_write_file()now checkos.path.islink()and refuse to operate on symlinks, blocking the attack vector entirely.Restrictive permissions — All directory creation uses
mode=0o700(owner read/write/execute only).Cleanup on failure — If
json.dump()oros.replace()fails, the temp file is removed in the exception handler.Testing
test_file_session_manager.pytests pass unchangedtest_file_session_symlink_protection.pycovering:Breaking Change Note
The default
storage_dirchanges from/tmp/strands/sessions/to~/.strands/sessions/. Existing sessions stored in/tmpwill not be automatically migrated. Users who explicitly passstorage_dirare unaffected.