Skip to content

chore: sync core lib and CLAUDE.md from agent-core#17

Merged
avifenesh merged 1 commit into
mainfrom
chore/sync-core-learn-20260426-152016
Apr 26, 2026
Merged

chore: sync core lib and CLAUDE.md from agent-core#17
avifenesh merged 1 commit into
mainfrom
chore/sync-core-learn-20260426-152016

Conversation

@avifenesh
Copy link
Copy Markdown
Contributor

@avifenesh avifenesh commented Apr 26, 2026
edited by cursor Bot
Loading

Automated sync of lib/ and CLAUDE.md from agent-core.

Note

Medium Risk
Changes file read/write behavior in the auto-fixer by rejecting symlink targets, which could affect workflows that rely on symlinked files and impacts write/restore paths.

Overview
Adds a new assertNotSymlink guard and applies it throughout lib/enhance/fixer.js to refuse reading, backing up, restoring, or writing any file path that is a symlink.

applyFixes now checks the target path before reading and again immediately before writing (plus validates the .backup path), and restoreFromBackup similarly refuses symlinked backup/target paths to prevent symlink-based overwrite attacks.

Reviewed by Cursor Bugbot for commit d565a0b. Configure here.

@gemini-code-assist
Copy link
Copy Markdown

gemini-code-assist Bot commented Apr 26, 2026

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@avifenesh avifenesh merged commit e28ea11 into main Apr 26, 2026
5 checks passed
@avifenesh avifenesh deleted the chore/sync-core-learn-20260426-152016 branch April 26, 2026 15:24
cursor[bot]
cursor Bot reviewed Apr 26, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit d565a0b. Configure here.

Comment thread lib/enhance/fixer.js
if (backup) {
const backupPath = `${filePath}.backup`;
// Refuse if the backup slot itself is a pre-existing symlink.
assertNotSymlink(backupPath);
Copy link
Copy Markdown

@cursor cursor Bot Apr 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Backup symlink error misattributed to original file path

Low Severity

assertNotSymlink(backupPath) on the backup slot has no dedicated try/catch, so an ESYMLINK_REFUSED error falls through to the outer catch, which records the error against filePath (the original file) rather than backupPath. The generic message "target is a symlink; refusing to follow" doesn't identify which path is the symlink. A consumer investigating this error would look at the original file—which is a regular file—and find nothing wrong, while the actual symlink at ${filePath}.backup goes uninvestigated. The pre-read symlink check already demonstrates the correct pattern with a dedicated inner try/catch that adds success and reason fields.

Additional Locations (1)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit d565a0b. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@avifenesh