Phase B.5 audit of commits a2b47db/a48653c/b3da58c (Trust-1 — write
path allowlist), 9653e25 (Trust-5 — transcribe_file extension allowlist
+ size cap), and ed449cc (Trust-2 — resolve_recording_path output_folder
validation). The three Trust-1 commits were a corrective sequence that
swapped the staged file in a parallel-agent race; b3da58c is the
authoritative landing.
Existing coverage is strong:
* commands/fs.rs (Trust-1): 6 tests — outside-allowlist, traversal,
accepts inside, accepts nested, rejects missing parent, prefix check.
* commands/transcription.rs (Trust-5): 7 tests — accepts wav,
accepts MP3 case-insensitive, accepts each allowed extension,
rejects unsupported, rejects no-extension, rejects oversize, accepts
exactly-at-cap, rejects traversal-with-disallowed-ext.
* commands/audio.rs (Trust-2): 7 tests including
validate_output_folder_rejects_symlink_pointing_out — the symlink
bypass for output folders is already covered.
One real residual found in commands/fs.rs:
Asymmetric symlink handling between Trust-1 (fs.rs) and Trust-2
(audio.rs). Trust-2 canonicalises the FULL requested path (it's a
directory that must already exist), so a symlink at the directory itself
that points outside the base is resolved before the containment check
and gets rejected. Trust-1 canonicalises only the PARENT of the
requested path, because the target file typically does not exist yet
(canonicalize() returns NotFound on missing paths). Concrete bypass:
1. A symlink at, e.g., ~/Downloads/notes.md -> ~/.bashrc — innocently
created by the user, or planted via another vulnerability.
2. Compromised webview invokes
write_text_file_cmd("/home/user/Downloads/notes.md", "<payload>").
3. Path-scope check: parent canonicalises to /home/user/Downloads,
file_name joins, canonical path string sits inside the Downloads
allowlist. PASS.
4. tokio::fs::write -> File::create -> open(2) follows the symlink and
writes "<payload>" to ~/.bashrc, exfiltrating shell startup.
Fix: two-mode canonicalisation in resolve_export_path. If the target
exists, canonicalise the full path — this follows any symlink at the
target itself, and the subsequent containment check sees the resolved
location. Only on NotFound do we fall back to parent-canonicalise +
join-filename (the original save-dialog path). This mirrors the audio
crate's canonicalisation discipline.
Regression tests:
* rejects_symlink_target_outside_allowlist — creates a symlink inside
a base pointing OUT to a real outside file; resolve_export_path must
return Err with "outside the allowed export directories".
* accepts_symlink_target_inside_allowlist — symmetric, an in-base
alias symlink must still resolve and pass, so legitimate uses of
symlinks are not regressed.
Both gated #[cfg(unix)] because std::os::unix::fs::symlink is unix-only.
The Trust-1 surface ships symmetrically on Windows; the symlink class
attack does not generalise the same way on NTFS (junctions vs symlinks
have different ACL semantics), and a windows-specific test would be
duplicate-effort outside the audit scope.
Verification:
* cargo test -p lumotia --lib commands::fs
→ 8/8 pass including the two new symlink tests.
* cargo fmt --check → clean.
* cargo clippy -p lumotia --all-targets -- -D warnings → clean.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
rust-toolchain.toml pins to stable 1.94.1 so contributors and CI runners
share the exact rustc / rustfmt / clippy versions. Without the pin, every
machine surfaces a different lint set depending on its local install — six
pre-existing lints showed up on 1.94.1 that 1.93-era HANDOVER reported clean.
Clippy fixes (all pre-existing, not introduced by feature work):
- crates/storage/src/database.rs: std::iter::repeat().take() -> repeat_n()
- crates/llm/src/lib.rs (docs): "+ frontends" was parsed as a markdown bullet
continuation by rustdoc, breaking doc-lazy-continuation. Reworded to "and".
- crates/llm/src/lib.rs (loop): while-let-on-iterator -> for-loop.
- src-tauri/src/commands/security.rs: .iter().any(|a| *a == x) -> .contains(&x).
- src-tauri/src/lib.rs: io::Error::new(Other, e) -> io::Error::other(e).
- src-tauri/src/tauri_app_data_migration.rs: drop function-tail `return`s
inside cfg blocks; each platform's block now ends with a tail expression.
cargo fmt sweep across the workspace. Mechanical layout-only changes;
no semantics affected.
Workspace gates after this commit:
- cargo fmt --check: clean
- cargo clippy --workspace --all-targets -- -D warnings: clean
- cargo test --workspace: 405/0 (will become 409/0 with Phase A.1+A.2)
The earlier Trust-1 commits a2b47db and a48653c carried the wrong
files due to parallel-agent races on the index. This commit re-applies
the fs.rs change via explicit pathspec so the working-tree edit is
finally landed in HEAD.
The Tauri command `write_text_file_cmd` previously took an arbitrary
`path: String` and flowed it straight into `tokio::fs::write` with no
main-window guard, no canonicalisation, and no scope check. A
compromised webview could write anywhere the process had write access
— overwriting shell init files, dropping a runner into
`~/.config/autostart`, etc.
This change:
- adds `ensure_main_window(&window)?` so only the main webview can
invoke the command;
- canonicalises the requested path's parent (rejecting nonexistent
parents and resolving symlinks) before joining the filename;
- asserts the canonical target sits inside an allowlisted base
(app data, app local data, downloads, documents, desktop), so a
`"../../etc/passwd"` payload — even one obtained via symlink trickery
in the chosen save dir — is refused with a clear error.
Six unit tests cover: outside-allowlist rejection, path-traversal
rejection, nested inside-allowlist acceptance, plain inside-allowlist
acceptance, nonexistent-parent rejection, and the pure
`is_inside_any_base` prefix check.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Replace all instances of the legacy product names "Kon" and "Corbie" with
"Magnotia" across user-facing copy, code identifiers, package names, bundle
ids, file paths, and documentation. Preserves the unrelated "konsole" (KDE
terminal) reference and the parent CORBEL company name.
- Renames 10 Rust crates (kon-* → magnotia-*) and the tauri binary
- Updates package.json, tauri.conf.json (productName + identifier)
- Renames CSS classes (kon-rh-* → magnotia-rh-*) and animations
- Renames brand and roadmap docs
- Regenerates Cargo.lock and package-lock.json
Verified: svelte-check passes; pure-rust crates compile under new names.
Thin UTF-8 writer used by the new save-dialog path. Caller owns path
safety; the source path is always OS-dialog-provided. Two unit tests:
roundtrips a small UTF-8 string with non-ASCII chars and asserts a
nonexistent parent path returns an actionable error.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>