🐛 Fix security issues in logging and config loading

Miyamura80 · claude · Miyamura80 · commit 7c2dcddf1299 · 2026-01-27T11:48:11.000Z
- Fix unsafe exception re-instantiation in logging_config.py by modifying
  exception args in-place instead of creating new instances. This preserves
  the original exception type and metadata without constructor issues.

- Add symlink check in global_config.py to prevent loading YAML files from
  outside the common/ directory via symlink attacks.

Co-Authored-By: Claude Sonnet 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/common/global_config.py b/common/global_config.py
@@ -75,6 +75,10 @@ def recursive_update(default: dict, override: dict) -> dict:
         for split_file in split_files:
             if split_file.name in reserved_filenames:
                 continue
+            # Security: skip symlinks to prevent loading files outside common/
+            if split_file.is_symlink():
+                logger.warning(f"Skipping symlink config file: {split_file}")
+                continue
             root_key = split_file.stem
             if root_key in config_data:
                 raise KeyError(
diff --git a/src/utils/logging_config.py b/src/utils/logging_config.py
@@ -91,21 +91,19 @@ def scrub_sensitive_data(record):
         scrubbed_value_str = _SCRUBBER.scrub(value_str)
 
         if scrubbed_value_str != value_str:
-            # Re-instantiate the exception with the redacted message to preserve loguru formatting
+            # Modify args in-place to preserve exception type and metadata
+            # Most exceptions store their message in args[0]
             try:
-                # Most standard exceptions accept a single string argument
-                new_value = type_(scrubbed_value_str)
-            except TypeError:
-                # Fallback to a generic Exception if type instantiation fails
-                # (e.g., some exceptions require specific constructor arguments)
-                new_value = Exception(f"[{type_.__name__}] {scrubbed_value_str}")
-
-            # Preserve traceback and context metadata
-            new_value.__traceback__ = tb
-            new_value.__cause__ = getattr(value, "__cause__", None)
-            new_value.__context__ = getattr(value, "__context__", None)
-
-            record["exception"] = (type_, new_value, tb)
+                if value.args:
+                    scrubbed_args = tuple(
+                        _SCRUBBER.scrub(str(arg)) if isinstance(arg, str) else arg
+                        for arg in value.args
+                    )
+                    value.args = scrubbed_args
+            except (AttributeError, TypeError):
+                # If args modification fails, leave original exception unchanged
+                # This is safer than creating a mismatched exception type
+                pass
 
     # Scrub extra context if present
     extra = record.get("extra")
