Problem
Both mds fmt and mds build write output files after canonicalizing the path. Between canonicalize and the actual write, an attacker could swap a symlink, causing the formatter/builder to write to an unintended location.
This is a TOCTOU (Time-of-check, time-of-use) vulnerability in both write paths. The window is small but exploitable in high-volume CI or batch scenarios.
Solution
Harden both write paths using openat + O_NOFOLLOW (or Rust equivalent):
Notes
- This is security hardening for an edge case, not an immediate critical issue.
- The pattern already exists in other MDS write code; this unifies the approach codebase-wide.
- Both
fmt and build write paths should be fixed together for consistency.
Acceptance Criteria
Reference
Surfaced in: PR #137 (mds fmt formatter) code review, deferred-to-tech-debt section.
Codebase-wide concern: applies to both fmt and build write paths.
Problem
Both
mds fmtandmds buildwrite output files after canonicalizing the path. Betweencanonicalizeand the actual write, an attacker could swap a symlink, causing the formatter/builder to write to an unintended location.This is a TOCTOU (Time-of-check, time-of-use) vulnerability in both write paths. The window is small but exploitable in high-volume CI or batch scenarios.
Solution
Harden both write paths using
openat+O_NOFOLLOW(or Rust equivalent):crates/mds-cli/src/fmt.rs(mds fmt)crates/mds-cli/src/build.rs(mds build)std::fs::OpenOptionswith custom flags, or a crate likeopenatif neededNotes
fmtandbuildwrite paths should be fixed together for consistency.Acceptance Criteria
Reference
Surfaced in: PR #137 (mds fmt formatter) code review, deferred-to-tech-debt section.
Codebase-wide concern: applies to both fmt and build write paths.