Open
Allow kodata symlinks within the repository root#1698
kodata symlinks within the repository root#1698Conversation
Copilot created this pull request from a session on behalf of
imjasonh
July 6, 2026 15:51
View session
Contributor
There was a problem hiding this comment.
Pull request overview
This PR broadens kodata/ symlink hardening to allow in-repo symlink targets by moving the trust boundary from the package’s kodata/ directory to the repository root when it can be determined (via git rev-parse --show-toplevel), while preserving protection against symlinks that resolve outside the allowed boundary. It also adds an environment variable override for non-git builds or custom layouts.
Changes:
- Refactors package directory discovery (
packageDir) so allowed-root resolution can be derived from the package source location. - Introduces allowed-root resolution logic (
resolveKODataAllowedRoot) with precedence:KO_DATA_PATH_ALLOWED_ROOT→ git repo top-level →kodata/root fallback. - Updates
walkRecursiveto enforce symlink containment against the resolved allowed root and adds/updates tests for both allowed in-repo symlinks and rejected escaping symlinks.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| pkg/build/gobuild.go | Resolves an allowed symlink boundary (repo root / override) and applies containment checks against it during kodata/ tarring. |
| pkg/build/gobuild_test.go | Updates symlink traversal tests and adds coverage for allowed-root resolution behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
imjasonh
approved these changes
Jul 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The
kodatasymlink hardening was too narrow: it rejected symlinks to files that are part of the same repository but live outside the package’skodata/directory, which breaks common layouts like sharedLICENSEand repo-level config. This change keeps the exfiltration guard, but moves the trust boundary to the repository root when that boundary is knowable.Problem
kodata/symlinks were only allowed to resolve withinkodata/itself.Boundary resolution
git rev-parse --show-toplevel).kodata/root behavior.KO_DATA_PATH_ALLOWED_ROOTto override the boundary for non-git builds or custom monorepo layouts.Symlink enforcement
EvalSymlinks→Abs→ prefix containment check.kodata/.Refactor
kodatapath resolution so allowed-root discovery can start from the import path’s source directory.Examples covered
cmd/app/kodata/LICENSE -> ../LICENSEcmd/app/kodata/ssh-key -> ~/.ssh/id_rsa