From 244d4c56768fcc60bd1b23fe45df7a57c7b293ec Mon Sep 17 00:00:00 2001
From: Craig Jennings <c@cjennings.net>
Date: Sat, 16 May 2026 11:30:04 -0500
Subject: feat(gptel-tools): harden path validation with file-truename realpath

Resolves PATH through file-truename before applying home-directory and
read/write checks across the path-handling tools (git_status, git_log,
git_diff, move_to_trash, read_text_file, update_text_file,
write_text_file, list_directory_files, read_buffer, web_fetch).
Without the resolve step, a symlink under HOME pointing outside HOME
would pass the prefix check but the tool would act on the real target
-- a symlink-escape.

move_to_trash also tightens the trash-bin construction (treats empty
file extensions correctly) and switches the "critical directories"
list to truename-resolved canonical forms so a symlinked ~/.config
can't be trashed via an aliased path.

update_text_file fixes an off-by-one in the line-count derivation
when the source content is empty.

Each source change pairs with tests in tests/test-gptel-tools-*.el
and tests/test-update-text-file.el covering the realpath escape
paths, the empty-extension trash case, and the empty-content line-
count edge.  Combined coverage is now 100% across all ten gptel-tools
source files: 516 / 516 executable lines, 217 tests.
---
 gptel-tools/git_log.el | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'gptel-tools/git_log.el')

diff --git a/gptel-tools/git_log.el b/gptel-tools/git_log.el
index 9cfae263..324435dc 100644
--- a/gptel-tools/git_log.el
+++ b/gptel-tools/git_log.el
@@ -25,11 +25,17 @@
   "Validate PATH for a git log call.  Return the expanded path on success.
 Same contract as the git_status validator: must be under HOME, must
 be a directory, must be inside a git working tree."
-  (let ((full (expand-file-name (or path "~") "~")))
+  (let* ((home (file-name-as-directory (file-truename (expand-file-name "~"))))
+         (full (expand-file-name (or path "~") "~")))
     (unless (string-prefix-p (expand-file-name "~") full)
       (error "Path must be within home directory: %s" path))
     (unless (file-directory-p full)
       (error "Not a directory: %s" full))
+    (let ((resolved (file-truename full)))
+      (unless (or (string= resolved (directory-file-name home))
+                  (string-prefix-p home resolved))
+        (error "Resolved path must be within home directory: %s" path))
+      (setq full resolved))
     (let ((default-directory full))
       (unless (zerop (process-file "git" nil nil nil
                                    "rev-parse" "--is-inside-work-tree"))
-- 
cgit v1.2.3