Harden path security across all file-reading directives (#3000)

* Harden path security across all file-reading directives

Previously only `IncludeBlock` validated user-supplied paths. The other
three directives (`SettingsBlock`, `CsvIncludeBlock`, `ChangelogBlock`)
had no boundary or symlink checks, leaving them open to path traversal.

All four now enforce the same four-layer protection:

1. `Path.IsPathRooted()` — reject absolute paths
2. `Path.GetFullPath()` — canonicalize, resolving any `..` segments
3. `IsSubPathOf()` — path must stay within the documentation source directory
4. `SymlinkValidator.ValidateFileAccess/DirectoryAccess()` — no symlinks,
   no hidden ancestor directories

`SymlinkValidator` gains two new shared methods (`ValidateFileAccess` and
`ValidateDirectoryAccess`) so the symlink + hidden-dir ancestor walk is no
longer duplicated inline in `IncludeBlock`.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Address CodeRabbit review: symlink order and dangling symlinks

- Move symlink validation before existence check in IncludeBlock so a
  dangling symlink doesn't fall through to emit confusing extra errors,
  matching the order used in SettingsBlock and CsvIncludeBlock.
- Drop the `Exists: true` guard on all `LinkTarget != null` checks in
  SymlinkValidator so dangling symlinks (target missing) are rejected
  unconditionally, both on the file/directory itself and on ancestor dirs.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: Mpdreamz

src/Elastic.Documentation.Configuration/SymlinkValidator.cs

@@ -4,6 +4,7 @@
 
 using System.IO.Abstractions;
 using System.Security;
+using Elastic.Documentation.Extensions;
 
 namespace Elastic.Documentation.Configuration;
 
@@ -38,4 +39,62 @@ public static void EnsureNotSymlink(IFileSystem fileSystem, string filePath)
 		if (fileInfo.Exists)
 			EnsureNotSymlink(fileInfo);
 	}
+
+	/// <summary>
+	/// Validates that a file and its ancestor directories (up to <paramref name="docRoot"/>) are not symlinks
+	/// and that no ancestor directory is hidden (starts with <c>.</c>).
+	/// </summary>
+	/// <returns>An error message if validation fails, or <c>null</c> if the file is safe to read.</returns>
+	public static string? ValidateFileAccess(IFileInfo file, IDirectoryInfo docRoot)
+	{
+		if (file.LinkTarget != null)
+			return "Path must not point to a symlink.";
+
+		var cmp = IDirectoryInfoExtensions.IsCaseSensitiveFileSystem
+			? StringComparison.Ordinal
+			: StringComparison.OrdinalIgnoreCase;
+
+		var dir = file.Directory;
+		while (dir != null && !string.Equals(dir.FullName, docRoot.FullName, cmp))
+		{
+			if (dir.Name.StartsWith('.'))
+				return "Path must not traverse hidden directories.";
+
+			if (dir.LinkTarget != null)
+				return "Path must not traverse symlinked directories.";
+
+			dir = dir.Parent;
+		}
+
+		return null;
+	}
+
+	/// <summary>
+	/// Validates that a directory and its ancestor directories (up to <paramref name="docRoot"/>) are not symlinks
+	/// and that no ancestor directory is hidden (starts with <c>.</c>).
+	/// </summary>
+	/// <returns>An error message if validation fails, or <c>null</c> if the directory is safe to access.</returns>
+	public static string? ValidateDirectoryAccess(IDirectoryInfo directory, IDirectoryInfo docRoot)
+	{
+		if (directory.LinkTarget != null)
+			return "Path must not point to a symlinked directory.";
+
+		var cmp = IDirectoryInfoExtensions.IsCaseSensitiveFileSystem
+			? StringComparison.Ordinal
+			: StringComparison.OrdinalIgnoreCase;
+
+		var dir = directory.Parent;
+		while (dir != null && !string.Equals(dir.FullName, docRoot.FullName, cmp))
+		{
+			if (dir.Name.StartsWith('.'))
+				return "Path must not traverse hidden directories.";
+
+			if (dir.LinkTarget != null)
+				return "Path must not traverse symlinked directories.";
+
+			dir = dir.Parent;
+		}
+
+		return null;
+	}
 }

src/Elastic.Markdown/Myst/Directives/Changelog/ChangelogBlock.cs

@@ -3,6 +3,7 @@
 // See the LICENSE file in the project root for more information
 
 using Elastic.Documentation;
+using Elastic.Documentation.Configuration;
 using Elastic.Documentation.Configuration.Assembler;
 using Elastic.Documentation.Configuration.ReleaseNotes;
 using Elastic.Documentation.Extensions;
@@ -214,9 +215,29 @@ private void ExtractBundlesFolderPath()
 		if (string.IsNullOrWhiteSpace(folderPath))
 			folderPath = DefaultBundlesFolder;
 
-		BundlesFolderPath = Build.DocumentationSourceDirectory.ResolvePathFrom(folderPath);
+		var trimmedPath = folderPath.TrimStart('/');
+		if (Path.IsPathRooted(trimmedPath))
+		{
+			this.EmitError("Changelog bundles path must not be an absolute path.");
+			return;
+		}
+
+		BundlesFolderPath = Path.GetFullPath(Build.DocumentationSourceDirectory.ResolvePathFrom(folderPath));
 		BundlesFolderRelativeToSource = Path.GetRelativePath(Build.DocumentationSourceDirectory.FullName, BundlesFolderPath);
 
+		var dir = Build.ReadFileSystem.DirectoryInfo.New(BundlesFolderPath);
+		if (!dir.IsSubPathOf(Build.DocumentationSourceDirectory))
+		{
+			this.EmitError("Changelog bundles path must resolve within the documentation source directory.");
+			return;
+		}
+
+		if (SymlinkValidator.ValidateDirectoryAccess(dir, Build.DocumentationSourceDirectory) is { } accessError)
+		{
+			this.EmitError(accessError);
+			return;
+		}
+
 		if (!Build.ReadFileSystem.Directory.Exists(BundlesFolderPath))
 		{
 			this.EmitError($"Changelog bundles folder `{BundlesFolderRelativeToSource}` does not exist.");
@@ -246,9 +267,28 @@ private void LoadConfiguration()
 		if (string.IsNullOrWhiteSpace(ConfigPath))
 			return;
 
-		var fileSystem = Build.ReadFileSystem;
-		var explicitPath = Build.DocumentationSourceDirectory.ResolvePathFrom(ConfigPath);
-		if (!fileSystem.File.Exists(explicitPath))
+		var trimmedPath = ConfigPath.TrimStart('/');
+		if (Path.IsPathRooted(trimmedPath))
+		{
+			this.EmitError("Changelog config path must not be an absolute path.");
+			return;
+		}
+
+		var explicitPath = Path.GetFullPath(Build.DocumentationSourceDirectory.ResolvePathFrom(ConfigPath));
+		var file = Build.ReadFileSystem.FileInfo.New(explicitPath);
+		if (!file.IsSubPathOf(Build.DocumentationSourceDirectory))
+		{
+			this.EmitError("Changelog config path must resolve within the documentation source directory.");
+			return;
+		}
+
+		if (SymlinkValidator.ValidateFileAccess(file, Build.DocumentationSourceDirectory) is { } accessError)
+		{
+			this.EmitError(accessError);
+			return;
+		}
+
+		if (!Build.ReadFileSystem.File.Exists(explicitPath))
 			this.EmitWarning($"Specified changelog config path '{ConfigPath}' not found.");
 	}
 

src/Elastic.Markdown/Myst/Directives/CsvInclude/CsvIncludeBlock.cs

@@ -3,6 +3,8 @@
 // See the LICENSE file in the project root for more information
 
 using System.IO.Abstractions;
+using Elastic.Documentation.Configuration;
+using Elastic.Documentation.Extensions;
 using Elastic.Markdown.Diagnostics;
 
 namespace Elastic.Markdown.Myst.Directives.CsvInclude;
@@ -50,9 +52,29 @@ private void ExtractCsvPath(ParserContext context)
 		if (csvPath.StartsWith('/'))
 			csvFrom = Build.DocumentationSourceDirectory.FullName;
 
-		CsvFilePath = Path.Join(csvFrom, csvPath.TrimStart('/'));
+		var trimmedPath = csvPath.TrimStart('/');
+		if (Path.IsPathRooted(trimmedPath))
+		{
+			this.EmitError("CSV path must not be an absolute path.");
+			return;
+		}
+
+		CsvFilePath = Path.GetFullPath(Path.Join(csvFrom, trimmedPath));
 		CsvFilePathRelativeToSource = Path.GetRelativePath(Build.DocumentationSourceDirectory.FullName, CsvFilePath);
 
+		var file = Build.ReadFileSystem.FileInfo.New(CsvFilePath);
+		if (!file.IsSubPathOf(Build.DocumentationSourceDirectory))
+		{
+			this.EmitError("CSV path must resolve within the documentation source directory.");
+			return;
+		}
+
+		if (SymlinkValidator.ValidateFileAccess(file, Build.DocumentationSourceDirectory) is { } accessError)
+		{
+			this.EmitError(accessError);
+			return;
+		}
+
 		if (Build.ReadFileSystem.File.Exists(CsvFilePath))
 		{
 			ValidateFileSize();

src/Elastic.Markdown/Myst/Directives/Include/IncludeBlock.cs

@@ -3,6 +3,7 @@
 // See the LICENSE file in the project root for more information
 
 using System.IO.Abstractions;
+using Elastic.Documentation.Configuration;
 using Elastic.Documentation.Extensions;
 using Elastic.Markdown.Diagnostics;
 
@@ -76,13 +77,18 @@ private void ExtractInclusionPath(ParserContext context)
 			return;
 		}
 
+		if (SymlinkValidator.ValidateFileAccess(file, Build.DocumentationSourceDirectory) is { } accessError)
+		{
+			this.EmitError(accessError);
+			Found = false;
+			return;
+		}
+
 		if (Build.ReadFileSystem.File.Exists(IncludePath))
 			Found = true;
 		else
 			this.EmitError($"`{IncludePath}` does not exist.");
 
-		ValidateIncludePath(file);
-
 		if (Literal)
 			return;
 
@@ -98,39 +104,4 @@ private void ExtractInclusionPath(ParserContext context)
 			Found = false;
 		}
 	}
-
-	private void ValidateIncludePath(IFileInfo file)
-	{
-		if (file is { Exists: true, LinkTarget: not null })
-		{
-			this.EmitError("Include path must not point to a symlink.");
-			Found = false;
-			return;
-		}
-
-		var cmp = IDirectoryInfoExtensions.IsCaseSensitiveFileSystem
-			? StringComparison.Ordinal
-			: StringComparison.OrdinalIgnoreCase;
-
-		var docRootFullName = Build.DocumentationSourceDirectory.FullName;
-		var dir = file.Directory;
-		while (dir != null && !string.Equals(dir.FullName, docRootFullName, cmp))
-		{
-			if (dir.Name.StartsWith('.'))
-			{
-				this.EmitError("Include path must not traverse hidden directories.");
-				Found = false;
-				return;
-			}
-
-			if (dir is { Exists: true, LinkTarget: not null })
-			{
-				this.EmitError("Include path must not traverse symlinked directories.");
-				Found = false;
-				return;
-			}
-
-			dir = dir.Parent;
-		}
-	}
 }

src/Elastic.Markdown/Myst/Directives/Settings/SettingsBlock.cs

@@ -4,6 +4,7 @@
 
 using System.IO.Abstractions;
 using Elastic.Documentation.Configuration;
+using Elastic.Documentation.Extensions;
 using Elastic.Markdown.Diagnostics;
 using Elastic.Markdown.Helpers;
 using Elastic.Markdown.Myst;
@@ -129,7 +130,27 @@ private void ExtractInclusionPath(ParserContext context)
 		if (includePath.StartsWith('/'))
 			includeFrom = Build.DocumentationSourceDirectory.FullName;
 
-		IncludePath = Path.Join(includeFrom, includePath.TrimStart('/'));
+		var trimmedPath = includePath.TrimStart('/');
+		if (Path.IsPathRooted(trimmedPath))
+		{
+			this.EmitError("Settings path must not be an absolute path.");
+			return;
+		}
+
+		IncludePath = Path.GetFullPath(Path.Join(includeFrom, trimmedPath));
+		var file = Build.ReadFileSystem.FileInfo.New(IncludePath);
+		if (!file.IsSubPathOf(Build.DocumentationSourceDirectory))
+		{
+			this.EmitError("Settings path must resolve within the documentation source directory.");
+			return;
+		}
+
+		if (SymlinkValidator.ValidateFileAccess(file, Build.DocumentationSourceDirectory) is { } accessError)
+		{
+			this.EmitError(accessError);
+			return;
+		}
+
 		if (Build.ReadFileSystem.File.Exists(IncludePath))
 			Found = true;
 		else