From 325811c369b77b0a6b15bf81463948a10cb1f658 Mon Sep 17 00:00:00 2001
From: Peter Stone <thepeterstone@gmail.com>
Date: Mon, 12 Jan 2026 13:18:27 -1000
Subject: Mitigate path traversal risk in Obsidian scanner

Skip symbolic links during vault traversal to prevent reading files outside the configured vault directory. This prevents potential path traversal attacks via malicious symlinks.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 internal/api/obsidian.go | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'internal')

diff --git a/internal/api/obsidian.go b/internal/api/obsidian.go
index a8ba80d..413fdd3 100644
--- a/internal/api/obsidian.go
+++ b/internal/api/obsidian.go
@@ -51,6 +51,11 @@ func (c *ObsidianClient) GetNotes(ctx context.Context, limit int) ([]models.Note
 			return nil // Skip files we can't access
 		}
 
+		// Skip symbolic links to prevent path traversal
+		if info.Mode()&os.ModeSymlink != 0 {
+			return nil
+		}
+
 		// Skip directories and non-markdown files
 		if info.IsDir() || !strings.HasSuffix(info.Name(), ".md") {
 			return nil
-- 
cgit v1.2.3