From 0f6cdc36925b9bdd578207bf7d8e879399f08ab1 Mon Sep 17 00:00:00 2001
From: xgopilot <noreply@goplus.org>
Date: Thu, 23 Apr 2026 17:15:49 +0000
Subject: [PATCH] fix(security): keep symlink escape checks for unknown walk
 entries

Generated with [codeagent](https://github.com/qbox/codeagent)
Co-authored-by: phantom5099 <245659304+phantom5099@users.noreply.github.com>
---
 internal/security/workspace_paths.go | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/internal/security/workspace_paths.go b/internal/security/workspace_paths.go
index c23fce85..f3c49e2b 100644
--- a/internal/security/workspace_paths.go
+++ b/internal/security/workspace_paths.go
@@ -57,7 +57,7 @@ func ResolveWorkspaceWalkPathFromRoot(root string, target string, entry fs.DirEn
 	if !isWithinWorkspace(root, absoluteTarget) {
 		return "", fmt.Errorf("security: path %q escapes workspace root", target)
 	}
-	if entry != nil && entry.Type().IsRegular() {
+	if isVerifiedRegularWalkEntry(entry) {
 		return absoluteTarget, nil
 	}
 	if _, err := ensureNoSymlinkEscape(root, absoluteTarget, target); err != nil {
@@ -65,3 +65,23 @@ func ResolveWorkspaceWalkPathFromRoot(root string, target string, entry fs.DirEn
 	}
 	return absoluteTarget, nil
 }
+
+// isVerifiedRegularWalkEntry 判断 WalkDir 条目是否可安全走普通文件快速路径。
+// 对 Type()==0 的条目会再调用 Info 二次确认，避免“未知类型”误判为普通文件而绕过符号链接校验。
+func isVerifiedRegularWalkEntry(entry fs.DirEntry) bool {
+	if entry == nil {
+		return false
+	}
+	entryType := entry.Type()
+	if !entryType.IsRegular() {
+		return false
+	}
+	if entryType != 0 {
+		return true
+	}
+	info, err := entry.Info()
+	if err != nil {
+		return false
+	}
+	return info.Mode().IsRegular()
+}