add comment

cbrnrd · cbrnrd · commit a0e19e870fe3 · 2026-03-27T11:22:08.000-04:00
diff --git a/internal/batches/executor/run_steps.go b/internal/batches/executor/run_steps.go
@@ -610,6 +610,7 @@ func createCidFile(ctx context.Context, tempDir string, repoSlug string) (string
 }
 
 func getAbsoluteMountPath(batchSpecDir string, mountPath string) (string, error) {
+	// Use OpenRoot to prevent path traversal and symlink attacks via mount paths
 	root, err := os.OpenRoot(batchSpecDir)
 	if err != nil {
 		return "", errors.Wrap(err, "opening batch spec directory")

Original file line number	Diff line number	Diff line change
`@@ -610,6 +610,7 @@ func createCidFile(ctx context.Context, tempDir string, repoSlug string) (string`
`610`	`610`	`}`
`611`	`611`
`612`	`612`	`func getAbsoluteMountPath(batchSpecDir string, mountPath string) (string, error) {`
	`613`	`+ // Use OpenRoot to prevent path traversal and symlink attacks via mount paths`
`613`	`614`	`root, err := os.OpenRoot(batchSpecDir)`
`614`	`615`	`if err != nil {`
`615`	`616`	`return "", errors.Wrap(err, "opening batch spec directory")`