fix: TOCTOU race in setup symlink creation (C6)

Remove the existence check before mkdir -p (it's idempotent) and validate the target isn't already a symlink before creating the link. Prevents a local attacker from racing between the check and mkdir to redirect SKILL.md writes. Closes C6 from security audit #783. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-05 05:05:08 +02:00 · 2026-04-04 21:22:24 -07:00
parent c7fc5e5ca9
commit 37e4cf5754
1 changed files with 6 additions and 5 deletions
@@ -296,11 +296,12 @@ link_claude_skill_dirs() {
        rm -f "$target"
      fi
      # Create real directory with symlinked SKILL.md (absolute path)
-      if [ ! -e "$target" ] || [ -d "$target" ]; then
-        mkdir -p "$target"
-        ln -snf "$gstack_dir/$dir_name/SKILL.md" "$target/SKILL.md"
-        linked+=("$link_name")
-      fi
+      # Use mkdir -p unconditionally (idempotent) to avoid TOCTOU race
+      mkdir -p "$target"
+      # Validate target isn't a symlink before creating the link
+      if [ -L "$target/SKILL.md" ]; then rm "$target/SKILL.md"; fi
+      ln -snf "$gstack_dir/$dir_name/SKILL.md" "$target/SKILL.md"
+      linked+=("$link_name")
    fi
  done
  if [ ${#linked[@]} -gt 0 ]; then