[BUG] Symlink Attack Allows Indexing Files Outside Project Directory

[EnthusiasticTech]

Project

vgrep

Description

The indexer uses ignore::WalkBuilder without calling .follow_links(false). By default, WalkBuilder follows symbolic links. An attacker who can create symlinks in a project directory can cause vgrep to index files from anywhere on the filesystem, including sensitive system files like /etc/passwd, SSH keys, or other projects.

Error Message

Debug Logs

System Information

Bounty Version: 0.1.0
OS: Ubuntu 24.04 LTS
CPU: AMD EPYC-Genoa Processor (8 cores)
RAM: 15 GB

Screenshots

No response

Steps to Reproduce

1. Create a project directory with malicious symlinks:

mkdir /tmp/evil_project
cd /tmp/evil_project
ln -s /etc/passwd ./passwd_link
ln -s ~/.ssh ./ssh_link
ln -s /home ./all_users

2. Run vgrep indexer on this directory:
   cd /tmp/evil_projectvgrep serve &vgrep index
3. The indexer will follow symlinks and index files from /etc, ~/.ssh, and /home

Expected Behavior

The indexer should either:

• Not follow symlinks by default (.follow_links(false)), OR
• Validate that resolved paths are within the project directory

Actual Behavior

WalkBuilder follows symlinks, indexing files outside the intended directory:

// src/core/indexer.rs lines 55-60
let files: Vec<_> = WalkBuilder::new(&abs_path)    
.hidden(false)    
.git_ignore(true)    
// NO .follow_links(false) - follows symlinks by default!    
.build()

Additional Context

No response

[echobt]

I have fixed this vulnerability by disabling symlink following in the indexer configuration.

PR: CortexLM/vgrep#13

[echobt]

Issue validated. The reported problem has been confirmed in the codebase. A Pull Request with the fix has been submitted: PlatformNetwork/term-challenge#37.