Harden installer and path handling#189
Conversation
|
The following comment was made by an LLM, it may be inaccurate: |
There was a problem hiding this comment.
Pull request overview
This PR implements security and robustness improvements to the installer and path handling across the desktop application. The changes focus on hardening file operations, environment variable handling, and executable resolution.
Changes:
- Added file locking (shared/exclusive) for workspace state operations using the
fs2crate - Enhanced path validation to ensure absolute paths for HOME, USERPROFILE, and XDG_CONFIG_HOME environment variables
- Improved installer script by piping curl output directly to bash stdin, avoiding shell pipeline issues and better surfacing curl errors
- Added canonicalization for OpenCode executable and sidecar paths with symlink validation
- Added skill name length validation (1-100 characters)
Reviewed changes
Copilot reviewed 8 out of 9 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
packages/desktop/src-tauri/src/workspace/state.rs |
Added file locking (shared for reads, exclusive for writes) and improved file handling with explicit truncation and sync operations |
packages/desktop/src-tauri/src/paths.rs |
Added absolute path validation for HOME and USERPROFILE environment variables, enhanced XDG environment variable handling |
packages/desktop/src-tauri/src/engine/paths.rs |
Added canonicalization helper for executable path resolution to resolve symlinks and validate file existence |
packages/desktop/src-tauri/src/config.rs |
Added env_path helper function to validate environment variable paths are absolute, improved config directory resolution |
packages/desktop/src-tauri/src/commands/skills.rs |
Added maximum length validation (100 characters) for skill names |
packages/desktop/src-tauri/src/commands/engine.rs |
Refactored installer to pipe curl output to bash stdin instead of shell pipeline, improved error handling and stderr collection |
packages/desktop/src-tauri/build.rs |
Added symlink detection to prevent overwriting symlinks during sidecar setup, added canonicalization for source path resolution |
packages/desktop/src-tauri/Cargo.toml |
Added fs2 = "0.4" dependency for file locking functionality |
packages/desktop/src-tauri/Cargo.lock |
Updated lock file with fs2 dependency and its transitive dependencies |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Automated message: the hardening changes look good and align with the security/least‑privilege goals (file locks, canonical paths, symlink guard, safer installer piping). Two notes:
Happy to re-review once rebased. |
|
@Golenspade thx. we made a few changes over the last days to make sidecar the default path so we can control the experience a bit more. we're still giving PATH as an escape hatch. What does this PR intend to bring to the experience? |
|
@benjaminshafii thx for the review:Intent is UX hardening, not a path-precedence change. This PR makes install + binary resolution more deterministic and safer: we canonicalize candidate binaries, avoid symlink overwrites, validate env-derived paths, and lock workspace state to prevent corruption. The user impact is fewer mysterious install failures or “wrong binary” issues, while still keeping PATH as an escape hatch. The new sidecar-default policy you mentioned is compatible; this just adds guardrails around whatever path wins. |
Golenspade
force-pushed
the
fix/engine-install-pipe
branch
from
c59705a to
3771d9e
Compare
|
@benjaminshafii rebased and added the bash exit error alert |
2 participants
Summary
Testing
pnpm install --frozen-lockfilepnpm --filter @different-ai/openwork build:webpnpm --filter @different-ai/openwork test:e2ecargo check --manifest-path packages/desktop/src-tauri/Cargo.toml --lockedcargo test --manifest-path packages/desktop/src-tauri/Cargo.toml --locked