Skip to main content

Module path

runtimo_core::validation

Module path 

Source
Expand description

Path validation with canonicalization and prefix checking.

Central validation for all path-based capabilities. Handles both existing paths (canonicalize directly) and new paths (canonicalize the parent). Rejects path traversal, empty paths, null bytes, control characters, and paths outside allowed_prefixes. Valid UTF-8 paths with non-ASCII characters (e.g. über.txt, 中文) are allowed.

Error messages do not leak the list of allowed directories (prevents information disclosure about filesystem layout).

§Security Considerations

§Null Byte Rejection (FINDING #8)

Paths containing \0 (null byte) are rejected immediately. Null bytes can truncate C-string path arguments in syscalls, causing path truncation attacks (e.g., /tmp/safe.txt\0/etc/shadow becomes /tmp/safe.txt).

§Unicode Normalization (FINDING #7)

Paths are NFC-normalized before validation to prevent Unicode-based traversal attacks. Non-ASCII paths are allowed after NFC normalization — valid UTF-8 paths with non-ASCII characters (e.g. über.txt, 中文) are accepted. Only control characters (0x00-0x1F, 0x7F) and null bytes are blocked.

This module canonicalizes paths via std::fs::canonicalize() which resolves symlinks. A TOCTOU window exists between validation and use: an attacker could replace a validated path with a symlink between the two operations. Mitigation status: All file-opening capabilities (FileRead, FileWrite) use O_NOFOLLOW flag to prevent symlink attacks at open time. Remaining risk: non-file capabilities (e.g., GitExec, ShellExec) may not use O_NOFOLLOW. Full mitigation requires filesystem-level atomicity (not available in std).

§Configuration

Allowed prefixes are merged from three sources (lowest to highest priority):

  1. Built-in defaults (/tmp, /var/tmp, /home)
  2. RUNTIMO_ALLOWED_PATHS env var (colon-separated)
  3. Config file ~/.config/runtimo/config.toml (allowed_paths array)

Example config file:

allowed_paths = ["/srv", "/opt"]

Structs§

PathContext
Context for path validation.

Functions§

validate_path
Validates a path with canonicalization and prefix checking.