From 21ce03087145a4261c1de03b056fba639f699c09 Mon Sep 17 00:00:00 2001
From: Timothy Carambat <rambat1010@gmail.com>
Date: Sun, 10 May 2026 13:11:33 -0700
Subject: [PATCH] apply refactor for recursive copy-file with symlinks:
 GHSA-vjrp-43mm-j7vw

---
 .../agents/aibitat/plugins/filesystem/copy-file.js     | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/server/utils/agents/aibitat/plugins/filesystem/copy-file.js b/server/utils/agents/aibitat/plugins/filesystem/copy-file.js
index fd22cb27..ab18559e 100644
--- a/server/utils/agents/aibitat/plugins/filesystem/copy-file.js
+++ b/server/utils/agents/aibitat/plugins/filesystem/copy-file.js
@@ -3,9 +3,15 @@ const path = require("path");
 const filesystem = require("./lib.js");
 
 async function copyRecursive(source, destination) {
-  const stats = await fs.stat(source);
+  const lstat = await fs.lstat(source);
 
-  if (stats.isDirectory()) {
+  if (lstat.isSymbolicLink()) {
+    throw new Error(
+      `Cannot copy symbolic link: ${source}. Symlinks are not allowed during copy operations.`
+    );
+  }
+
+  if (lstat.isDirectory()) {
     await fs.mkdir(destination, { recursive: true });
     const entries = await fs.readdir(source);
     for (const entry of entries) {