From 63f3bbf8ac624b2ca034b540447f591c1037e7d7 Mon Sep 17 00:00:00 2001
From: Martijn Laarman <Mpdreamz@gmail.com>
Date: Wed, 6 May 2026 22:39:46 +0200
Subject: [PATCH] Harden branding image symlink check to cover ancestor
 directories

The previous check only tested the image file itself for symlinks.
ValidateFileAccess also walks parent directories up to the doc root,
rejecting symlinked or hidden intermediate directories that could be
used to escape the documentation source tree.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
---
 .../Builder/ConfigurationFile.cs                            | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/Elastic.Documentation.Configuration/Builder/ConfigurationFile.cs b/src/Elastic.Documentation.Configuration/Builder/ConfigurationFile.cs
index 8f792853e..92830b12b 100644
--- a/src/Elastic.Documentation.Configuration/Builder/ConfigurationFile.cs
+++ b/src/Elastic.Documentation.Configuration/Builder/ConfigurationFile.cs
@@ -11,6 +11,7 @@
 using Elastic.Documentation.Diagnostics;
 using Elastic.Documentation.Extensions;
 using Elastic.Documentation.Links;
+using static Elastic.Documentation.Configuration.SymlinkValidator;
 
 namespace Elastic.Documentation.Configuration.Builder;
 
@@ -330,10 +331,11 @@ private static BrandingConfiguration ValidateBranding(BrandingConfiguration bran
 			return null;
 		}
 
-		if (resolved.LinkTarget is not null)
+		var symlinkError = ValidateFileAccess(resolved, context.DocumentationSourceDirectory);
+		if (symlinkError is not null)
 		{
 			context.EmitError(context.ConfigurationPath,
-				$"'{fieldName}' path '{imagePath}' is a symbolic link, which is not allowed for branding images.");
+				$"'{fieldName}' path '{imagePath}' is unsafe: {symlinkError}");
 			return null;
 		}