Skip to content

feat: add allowSymlinks option to File transport for symlink handling #2595

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
omdxp wants to merge 3 commits into
base: master
Choose a base branch
from
Open

feat: add allowSymlinks option to File transport for symlink handling #2595

omdxp wants to merge 3 commits into from
+165 −1

Conversation

@omdxp
Copy link

@omdxp omdxp commented Dec 7, 2025

This PR adds a new option allowSymlinks to the File transport to give users control over whether symbolic links should be followed when writing logs.

Copilot AI review requested due to automatic review settings December 7, 2025 21:29
Copilot AI reviewed Dec 7, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a new allowSymlinks option to the File transport to control whether symbolic links should be followed when writing logs. When set to false, the transport uses the O_NOFOLLOW flag to prevent writes to symlinks, enhancing security by preventing symlink-based attacks.

Key Changes:

  • Added allowSymlinks option (defaults to true for backward compatibility)
  • Modified stream creation to use O_NOFOLLOW flag when symlinks are disallowed
  • Added comprehensive test coverage for both enabled and disabled symlink handling

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 6 comments.

File Description
lib/winston/transports/file.js Adds allowSymlinks option initialization and implements O_NOFOLLOW flag logic in _createStream method
test/unit/winston/transports/file.test.js Adds new test suite "Symlink Option" with tests for both allowSymlinks: false and default behavior

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

indexzero
indexzero approved these changes Dec 9, 2025
View reviewed changes
Copy link
Member

@indexzero indexzero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 once the workflow runs pass

@omdxp omdxp requested a review from indexzero December 9, 2025 18:45
@omdxp
Copy link
Author

omdxp commented Dec 10, 2025

@indexzero I've pushed additional tests to improve coverage and potentially resolve the pipeline failure

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@indexzero indexzero Awaiting requested review from indexzero

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@omdxp @indexzero