Fix symlink traversal bug

  The Bug

  The tokenPath() function in internal/oauth/oauth.go:301-317 used strings.HasPrefix to verify paths stayed within tokensDir, but
  didn't detect symlinks. An attacker who could create a symlink inside tokensDir (e.g., tokensDir/evil.json -> /etc/passwd) could
  cause token data to be written outside the tokens directory.

  The Fix

  Added symlink detection using os.Lstat() and filepath.EvalSymlinks():

  // Check if path is a symlink that could escape tokensDir
  if info, err := os.Lstat(cleanPath); err == nil && info.Mode()&os.ModeSymlink != 0 {
      // Path exists and is a symlink - resolve it and verify it stays within tokensDir
      resolved, err := filepath.EvalSymlinks(cleanPath)
      if err != nil || !isPathWithinDir(resolved, cleanTokensDir) {
          // Symlink resolution failed or escapes tokensDir - use hash-based fallback
          return filepath.Join(m.tokensDir, fmt.Sprintf("%x.json", sha256.Sum256([]byte(email))))
      }
  }

  Also added a helper function isPathWithinDir() that properly resolves symlinks in the base directory before comparing paths.

  Changes Made

  - internal/oauth/oauth.go: Added symlink detection in tokenPath() and new isPathWithinDir() helper (13 lines added)
  - internal/oauth/oauth_test.go: Added TestTokenPath_SymlinkEscape test case (47 lines added)

Author: hughdbrown

internal/oauth/oauth.go

@@ -306,16 +306,44 @@ func (m *Manager) tokenPath(email string) string {
 	// Ensure the final path is within tokensDir
 	path := filepath.Join(m.tokensDir, safe+".json")
 	cleanPath := filepath.Clean(path)
+	cleanTokensDir := filepath.Clean(m.tokensDir)
 
 	// Verify the path is still within tokensDir
-	if !strings.HasPrefix(cleanPath, filepath.Clean(m.tokensDir)) {
+	if !strings.HasPrefix(cleanPath, cleanTokensDir) {
 		// If path escapes tokensDir, use a hash-based fallback
 		return filepath.Join(m.tokensDir, fmt.Sprintf("%x.json", sha256.Sum256([]byte(email))))
 	}
 
+	// Check if path is a symlink that could escape tokensDir
+	if info, err := os.Lstat(cleanPath); err == nil && info.Mode()&os.ModeSymlink != 0 {
+		// Path exists and is a symlink - resolve it and verify it stays within tokensDir
+		resolved, err := filepath.EvalSymlinks(cleanPath)
+		if err != nil || !isPathWithinDir(resolved, cleanTokensDir) {
+			// Symlink resolution failed or escapes tokensDir - use hash-based fallback
+			return filepath.Join(m.tokensDir, fmt.Sprintf("%x.json", sha256.Sum256([]byte(email))))
+		}
+	}
+
 	return cleanPath
 }
 
+// isPathWithinDir checks if path is within dir, resolving symlinks in dir.
+func isPathWithinDir(path, dir string) bool {
+	// Resolve symlinks in dir to get the real base directory
+	resolvedDir, err := filepath.EvalSymlinks(dir)
+	if err != nil {
+		resolvedDir = dir // fallback to original if dir doesn't exist yet
+	}
+	resolvedDir = filepath.Clean(resolvedDir)
+
+	// Clean and check the path
+	cleanPath := filepath.Clean(path)
+
+	// Ensure path is within dir (with proper separator handling)
+	return strings.HasPrefix(cleanPath, resolvedDir+string(filepath.Separator)) ||
+		cleanPath == resolvedDir
+}
+
 // scopesToString joins scopes with spaces.
 func scopesToString(scopes []string) string {
 	return strings.Join(scopes, " ")

internal/oauth/oauth_test.go

@@ -249,6 +249,54 @@ func TestSanitizeEmail(t *testing.T) {
 	}
 }
 
+func TestTokenPath_SymlinkEscape(t *testing.T) {
+	// This test verifies that symlinks inside tokensDir cannot be used
+	// to write tokens outside the tokens directory.
+	//
+	// Attack scenario:
+	// 1. Attacker creates symlink: tokensDir/evil.json -> /tmp/outside/evil.json
+	// 2. saveToken("evil", ...) would follow the symlink and write outside tokensDir
+	// 3. The fix should detect this and use a hash-based fallback path
+
+	dir := t.TempDir()
+	tokensDir := filepath.Join(dir, "tokens")
+	outsideDir := filepath.Join(dir, "outside")
+
+	if err := os.MkdirAll(tokensDir, 0700); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.MkdirAll(outsideDir, 0700); err != nil {
+		t.Fatal(err)
+	}
+
+	// Create a symlink inside tokensDir that points outside
+	symlinkPath := filepath.Join(tokensDir, "evil.json")
+	outsideTarget := filepath.Join(outsideDir, "evil.json")
+	if err := os.Symlink(outsideTarget, symlinkPath); err != nil {
+		t.Skipf("cannot create symlink (may require admin on Windows): %v", err)
+	}
+
+	mgr := &Manager{
+		config:    &oauth2.Config{Scopes: Scopes},
+		tokensDir: tokensDir,
+	}
+
+	// Get the token path for "evil" - this should NOT return the symlink path
+	// because following it would write outside tokensDir
+	gotPath := mgr.tokenPath("evil")
+
+	// The path should NOT be the symlink (which would write outside tokensDir)
+	if gotPath == symlinkPath {
+		t.Errorf("tokenPath returned symlink path %q, should use hash-based fallback to prevent escape", gotPath)
+	}
+
+	// Verify the returned path, when resolved, stays within tokensDir
+	// (the hash-based fallback should be used)
+	if !strings.HasPrefix(gotPath, tokensDir) {
+		t.Errorf("tokenPath %q is not within tokensDir %q", gotPath, tokensDir)
+	}
+}
+
 func TestParseClientSecrets(t *testing.T) {
 	// Valid Desktop application credentials
 	validDesktop := `{