Resolve image attachment paths with realpath before reading so symlinks inside allowed roots cannot escape to arbitrary files. Preserve support for symlinked project/upload roots and skip invalid descriptors instead of failing the provider turn.
Resolve image attachment paths with realpath before reading so symlinks
inside allowed roots cannot escape to arbitrary files. Preserve support for
symlinked project/upload roots and add focused coverage for both cases.
Replace the path.relative guard in isPathInsideDirectory with the
resolve + startsWith(root + sep) idiom so the path-injection barrier
is visible to code scanning; behavior is unchanged.
- enforce a second image trust boundary in the provider builders:
buildClaudeUserContent/buildCodexInputItems only accept files inside
the upload store or the run's working directory (CodeQL path
injection)
- drop an always-true selectedProject check in handleSubmit
- remove the unused resume option from spawnCursor