fix(init): use manual recursion in listDir to avoid symlink traversal

betegon · claude · betegon · commit fc901d5295a5 · 2026-04-06T14:53:54.000+02:00
opendir({ recursive: true }) follows symlinks into their targets before
we can filter them, causing EACCES errors that abort the entire listing.
Additionally, Bun's opendir defers ENOENT to iteration rather than
throwing at open time. Switch to non-recursive opendir with manual
walk, and add catch around iteration for robustness. Add test for
nested symlinks in recursive mode.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/lib/init/local-ops.ts b/src/lib/init/local-ops.ts
@@ -346,30 +346,11 @@ export async function handleLocalOp(
   }
 }
 
-/** Directory names that are listed at their level but never recursed into. */
+/** Directory names that are listed but never recursed into. */
 const SKIP_DIRS = new Set(["node_modules"]);
 
-/**
- * Check whether an entry is inside a hidden dir or node_modules.
- * Top-level skip-dirs (relFromTarget === "") are still listed.
- */
-function isInsideSkippedDir(relFromTarget: string): boolean {
-  if (relFromTarget === "") {
-    return false;
-  }
-  const segments = relFromTarget.split(path.sep);
-  return segments.some((s) => s.startsWith(".") || SKIP_DIRS.has(s));
-}
-
-/** Return true when a symlink resolves to a path outside `cwd`. */
-function isEscapingSymlink(
-  entry: fs.Dirent,
-  cwd: string,
-  relPath: string
-): boolean {
-  if (!entry.isSymbolicLink()) {
-    return false;
-  }
+/** Return true if a symlink escapes the project directory. */
+function isEscapingSymlink(cwd: string, relPath: string): boolean {
   try {
     safePath(cwd, relPath);
     return false;
@@ -378,62 +359,86 @@ function isEscapingSymlink(
   }
 }
 
-/** Convert a Dirent to a DirEntry, or return null if it should be skipped. */
-function toDirEntry(
-  entry: fs.Dirent,
-  cwd: string,
-  targetPath: string,
-  maxDepth: number
-): DirEntry | null {
-  const relFromTarget = path.relative(targetPath, entry.parentPath);
-  const depth = relFromTarget === "" ? 0 : relFromTarget.split(path.sep).length;
-
-  if (depth > maxDepth) {
-    return null;
-  }
-  if (isInsideSkippedDir(relFromTarget)) {
-    return null;
+/** Whether a directory entry should be recursed into. */
+function shouldRecurse(entry: fs.Dirent): boolean {
+  if (!entry.isDirectory() || entry.isSymbolicLink()) {
+    return false;
   }
+  return !(entry.name.startsWith(".") || SKIP_DIRS.has(entry.name));
+}
 
-  const relPath = path.relative(cwd, path.join(entry.parentPath, entry.name));
+type WalkContext = {
+  cwd: string;
+  recursive: boolean;
+  maxDepth: number;
+  maxEntries: number;
+  entries: DirEntry[];
+};
 
-  if (isEscapingSymlink(entry, cwd, relPath)) {
-    return null;
+/** Process a single dirent during directory walking. */
+async function processDirEntry(
+  ctx: WalkContext,
+  dir: string,
+  entry: fs.Dirent,
+  depth: number
+): Promise<void> {
+  const relPath = path.relative(ctx.cwd, path.join(dir, entry.name));
+  if (entry.isSymbolicLink() && isEscapingSymlink(ctx.cwd, relPath)) {
+    return;
   }
 
   const type = entry.isDirectory() ? "directory" : "file";
-  return { name: entry.name, path: relPath, type };
-}
+  ctx.entries.push({ name: entry.name, path: relPath, type });
 
-async function listDir(payload: ListDirPayload): Promise<LocalOpResult> {
-  const { cwd, params } = payload;
-  const targetPath = safePath(cwd, params.path);
-  const maxDepth = params.maxDepth ?? 3;
-  const maxEntries = params.maxEntries ?? 500;
-  const recursive = params.recursive ?? false;
+  if (ctx.recursive && shouldRecurse(entry)) {
+    await walkDir(ctx, path.join(dir, entry.name), depth + 1);
+  }
+}
 
-  const entries: DirEntry[] = [];
+async function walkDir(
+  ctx: WalkContext,
+  dir: string,
+  depth: number
+): Promise<void> {
+  if (ctx.entries.length >= ctx.maxEntries || depth > ctx.maxDepth) {
+    return;
+  }
 
+  let handle: fs.Dir;
   try {
-    const dir = await fs.promises.opendir(targetPath, {
-      recursive,
-      bufferSize: 1024,
-    });
+    handle = await fs.promises.opendir(dir, { bufferSize: 1024 });
+  } catch {
+    return;
+  }
 
-    for await (const dirent of dir) {
-      if (entries.length >= maxEntries) {
+  try {
+    for await (const entry of handle) {
+      if (ctx.entries.length >= ctx.maxEntries) {
         break;
       }
-      const parsed = toDirEntry(dirent, cwd, targetPath, maxDepth);
-      if (parsed) {
-        entries.push(parsed);
-      }
+      await processDirEntry(ctx, dir, entry, depth);
     }
   } catch {
-    // Directory doesn't exist or can't be read
+    // Directory unreadable (ENOENT, EACCES, etc.) — skip gracefully
+  } finally {
+    await handle.close();
   }
+}
+
+async function listDir(payload: ListDirPayload): Promise<LocalOpResult> {
+  const { cwd, params } = payload;
+  const targetPath = safePath(cwd, params.path);
+
+  const ctx: WalkContext = {
+    cwd,
+    recursive: params.recursive ?? false,
+    maxDepth: params.maxDepth ?? 3,
+    maxEntries: params.maxEntries ?? 500,
+    entries: [],
+  };
 
-  return { ok: true, data: { entries } };
+  await walkDir(ctx, targetPath, 0);
+  return { ok: true, data: { entries: ctx.entries } };
 }
 
 async function readSingleFile(
diff --git a/test/lib/init/local-ops.test.ts b/test/lib/init/local-ops.test.ts
@@ -482,6 +482,27 @@ describe("handleLocalOp", () => {
       expect(names).toContain("legit.ts");
       expect(names).not.toContain("escape-link");
     });
+
+    test("excludes nested symlinks that point outside project directory in recursive mode", async () => {
+      mkdirSync(join(testDir, "sub"));
+      writeFileSync(join(testDir, "sub", "legit.ts"), "x");
+      symlinkSync("/tmp", join(testDir, "sub", "escape-link"));
+
+      const payload: ListDirPayload = {
+        type: "local-op",
+        operation: "list-dir",
+        cwd: testDir,
+        params: { path: ".", recursive: true, maxDepth: 3 },
+      };
+
+      const result = await handleLocalOp(payload, options);
+      const entries = (result.data as { entries: Array<{ path: string }> })
+        .entries;
+      const paths = entries.map((e) => e.path);
+
+      expect(paths).toContain(join("sub", "legit.ts"));
+      expect(paths).not.toContain(join("sub", "escape-link"));
+    });
   });
 
   describe("read-files", () => {
