fix: refuse symlinked shared infra paths

Author: PascalThuet

src/specify_cli/shared_infra.py

@@ -58,6 +58,33 @@ def shared_scripts_source(
     return repo_root / "scripts"
 
 
+def _shared_destination_label(project_path: Path, dest: Path) -> str:
+    try:
+        return dest.relative_to(project_path).as_posix()
+    except ValueError:
+        return str(dest)
+
+
+def _ensure_safe_shared_destination(project_path: Path, dest: Path) -> None:
+    """Refuse shared infra writes that would escape or follow symlinks."""
+    root = project_path.resolve()
+    try:
+        dest.parent.resolve().relative_to(root)
+    except (OSError, ValueError):
+        label = _shared_destination_label(project_path, dest)
+        raise ValueError(f"Shared infrastructure destination escapes project root: {label}") from None
+
+    label = _shared_destination_label(project_path, dest)
+    if dest.is_symlink():
+        raise ValueError(f"Refusing to overwrite symlinked shared infrastructure path: {label}")
+
+    if dest.exists():
+        try:
+            dest.resolve().relative_to(root)
+        except (OSError, ValueError):
+            raise ValueError(f"Shared infrastructure destination escapes project root: {label}") from None
+
+
 def refresh_shared_templates(
     project_path: Path,
     *,
@@ -85,6 +112,7 @@ def refresh_shared_templates(
             continue
 
         dst = dest_templates / src.name
+        _ensure_safe_shared_destination(project_path, dst)
         rel = dst.relative_to(project_path).as_posix()
         if dst.exists() and not force:
             if rel not in tracked_files or rel in modified:
@@ -136,6 +164,7 @@ def install_shared_infra(
 
                 rel_path = src_path.relative_to(variant_src)
                 dst_path = dest_variant / rel_path
+                _ensure_safe_shared_destination(project_path, dst_path)
                 if dst_path.exists() and not force:
                     skipped_files.append(str(dst_path.relative_to(project_path)))
                     continue
@@ -154,6 +183,7 @@ def install_shared_infra(
                 continue
 
             dst = dest_templates / src.name
+            _ensure_safe_shared_destination(project_path, dst)
             if dst.exists() and not force:
                 skipped_files.append(str(dst.relative_to(project_path)))
                 continue

tests/integrations/test_cli.py

@@ -3,6 +3,7 @@
 import json
 import os
 
+import pytest
 import yaml
 
 from tests.conftest import strip_ansi
@@ -288,6 +289,66 @@ def test_shared_infra_warns_when_manifest_cannot_be_decoded(self, tmp_path, caps
         assert "Could not read shared infrastructure manifest" in captured.out
         assert "A new shared manifest will be created" in captured.out
 
+    @pytest.mark.skipif(not hasattr(os, "symlink"), reason="symlinks are unavailable")
+    def test_shared_infra_refuses_symlinked_script_destination(self, tmp_path):
+        """Shared script refreshes must not follow destination symlinks."""
+        from specify_cli import _install_shared_infra
+
+        project = tmp_path / "symlink-script-test"
+        project.mkdir()
+        (project / ".specify").mkdir()
+
+        outside = tmp_path / "outside-script.sh"
+        outside.write_text("# outside\n", encoding="utf-8")
+        scripts_dir = project / ".specify" / "scripts" / "bash"
+        scripts_dir.mkdir(parents=True)
+        os.symlink(outside, scripts_dir / "common.sh")
+
+        with pytest.raises(ValueError, match="Refusing to overwrite symlinked"):
+            _install_shared_infra(project, "sh", force=True)
+
+        assert outside.read_text(encoding="utf-8") == "# outside\n"
+
+    @pytest.mark.skipif(not hasattr(os, "symlink"), reason="symlinks are unavailable")
+    def test_shared_infra_refuses_symlinked_template_destination(self, tmp_path):
+        """Shared template installs must not follow destination symlinks."""
+        from specify_cli import _install_shared_infra
+
+        project = tmp_path / "symlink-template-test"
+        project.mkdir()
+        (project / ".specify").mkdir()
+
+        outside = tmp_path / "outside-template.md"
+        outside.write_text("# outside\n", encoding="utf-8")
+        templates_dir = project / ".specify" / "templates"
+        templates_dir.mkdir(parents=True)
+        os.symlink(outside, templates_dir / "plan-template.md")
+
+        with pytest.raises(ValueError, match="Refusing to overwrite symlinked"):
+            _install_shared_infra(project, "sh", force=True)
+
+        assert outside.read_text(encoding="utf-8") == "# outside\n"
+
+    @pytest.mark.skipif(not hasattr(os, "symlink"), reason="symlinks are unavailable")
+    def test_shared_template_refresh_refuses_symlinked_destination(self, tmp_path):
+        """Template-only refreshes must not follow destination symlinks."""
+        from specify_cli import _refresh_shared_templates
+
+        project = tmp_path / "symlink-refresh-test"
+        project.mkdir()
+        (project / ".specify").mkdir()
+
+        outside = tmp_path / "outside-refresh.md"
+        outside.write_text("# outside\n", encoding="utf-8")
+        templates_dir = project / ".specify" / "templates"
+        templates_dir.mkdir(parents=True)
+        os.symlink(outside, templates_dir / "plan-template.md")
+
+        with pytest.raises(ValueError, match="Refusing to overwrite symlinked"):
+            _refresh_shared_templates(project, invoke_separator=".", force=True)
+
+        assert outside.read_text(encoding="utf-8") == "# outside\n"
+
     def test_shared_infra_no_warning_when_forced(self, tmp_path, capsys):
         """No skip warning when force=True (all files overwritten)."""
         from specify_cli import _install_shared_infra