Skip to content

fix path resolution for .resolve() and .absolute() for correctness and security #7703

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mscolnick merged 1 commit into from
Jan 7, 2026
Merged

fix path resolution for .resolve() and .absolute() for correctness and security #7703

mscolnick merged 1 commit into from
Jan 7, 2026

Conversation

@mscolnick
Copy link
Contributor

@mscolnick mscolnick commented Jan 7, 2026

The codebase was using Path.resolve() and Path.absolute() inconsistently, leading to:

  • Unexpected behavior: Symlinked directories resolved to their real paths, breaking user expectations
  • Unnormalized paths: Path.absolute() doesn't normalize .. and . components, leaving messy paths in sys.path and other places.
  • Security vulnerability: Path.resolve() follows symlinks, which could allow traveral attacks - however, in these instances, the user already has full access to the system so there was no additional risk.

This PR adds normalize_path() utility that converts relative paths to absolute and normalizes .. and . components using os.path.normpath(), but does not resolve symlinks.
@mscolnick
fix path resolution for .resolve() and .absolute() for correctness an…
592e4a2 
…d security

The codebase was using `Path.resolve()` and `Path.absolute()` inconsistently, leading to:

- **Unexpected behavior**: Symlinked directories resolved to their real paths, breaking user expectations
- **Unnormalized paths**: `Path.absolute()` doesn't normalize `..` and `.` components, leaving messy paths in sys.path and other places.
- **Security vulnerability**: `Path.resolve()` follows symlinks, which could allow traveral attacks - however, in these instances, the user already has full access to the system so there was no additional risk.

This PR adds `normalize_path()` utility that converts relative paths to absolute and normalizes `..` and `.` components using `os.path.normpath()`, but does not resolve symlinks.
@mscolnick mscolnick requested a review from dmadisetti as a code owner January 7, 2026 00:14
@vercel
Copy link

vercel bot commented Jan 7, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
marimo-docs Ready Ready Preview, Comment Jan 7, 2026 0:15am
@dmadisetti dmadisetti added the bug Something isn't working label Jan 7, 2026
dmadisetti
dmadisetti approved these changes Jan 7, 2026
View reviewed changes
Copy link
Collaborator

@dmadisetti dmadisetti left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 for consistency
@mscolnick mscolnick merged commit 794b545 into main Jan 7, 2026
46 of 71 checks passed
@mscolnick mscolnick deleted the ms/path-norm branch January 7, 2026 02:30
@github-actions
Copy link

github-actions bot commented Jan 7, 2026

🚀 Development release published. You may be able to view the changes at https://marimo.app?v=0.18.5-dev153
@AnirudhDagar AnirudhDagar mentioned this pull request Jan 20, 2026
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working

3 participants

@mscolnick @dmadisetti