Expand description
Path validation with canonicalization and prefix checking.
Central validation for all path-based capabilities. Handles both existing
paths (canonicalize directly) and new paths (canonicalize the parent).
Rejects path traversal, empty paths, null bytes, non-ASCII paths, and
paths outside allowed_prefixes.
§Security Considerations
§Null Byte Rejection (FINDING #8)
Paths containing \0 (null byte) are rejected immediately. Null bytes
can truncate C-string path arguments in syscalls, enabling path truncation
attacks (e.g., /tmp/safe.txt\0/etc/shadow becomes /tmp/safe.txt).
§Unicode Normalization (FINDING #7)
Paths are NFC-normalized before validation to prevent Unicode-based traversal attacks. Non-ASCII paths are rejected entirely because Unicode normalization edge cases (e.g., homoglyphs, combining characters) cannot be fully mitigated without filesystem-level awareness.
§Symlink TOCTOU Limitation (FINDING #9)
This module canonicalizes paths via std::fs::canonicalize() which
resolves symlinks. However, a TOCTOU window exists between validation
and use: an attacker could replace a validated path with a symlink
between the two operations. Mitigations:
- Use
O_NOFOLLOWflag when opening files (where possible) - Minimize time between validation and use
- Full mitigation requires filesystem-level atomicity (not available in std)
§Configuration
Allowed prefixes are merged from three sources (lowest to highest priority):
- Built-in defaults (
/tmp,/var/tmp,/home) RUNTIMO_ALLOWED_PATHSenv var (colon-separated)- Config file
~/.config/runtimo/config.toml(allowed_pathsarray)
Example config file:
allowed_paths = ["/srv", "/opt"]Structs§
- Path
Context - Context for path validation.
Functions§
- validate_
path - Validates a path with canonicalization and prefix checking.