Skip to content

fix: use atomic rename that refuses existing destinations#93

Open
leno23 wants to merge 1 commit into
dolph:mainfrom
leno23:fix/rename-noreplace-issue-4-v2
Open

fix: use atomic rename that refuses existing destinations#93
leno23 wants to merge 1 commit into
dolph:mainfrom
leno23:fix/rename-noreplace-issue-4-v2

Conversation

@leno23
Copy link
Copy Markdown

@leno23 leno23 commented May 30, 2026

Fixes #4

Made with Cursor

@leno23
fix: use atomic rename that refuses existing destinations
4105a01 
Replace Stat-then-Rename with RENAME_NOREPLACE / RENAME_EXCL so concurrent
creates cannot be silently overwritten during path renames.

Fixes dolph#4
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed May 30, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4105a0167d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread rename_windows.go
} else if !errors.Is(err, os.ErrNotExist) {
return fmt.Errorf("stat rename destination %v: %w", newpath, err)
}
return os.Rename(oldpath, newpath)
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot May 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Use a non-replacing rename on Windows

On Windows this still has the same TOCTOU clobber window: os.Rename is implemented with replace-existing semantics, so any file that appears at newpath after the os.Stat check is overwritten. Because WalkDir renames siblings concurrently, two sibling names that collapse to the same target, e.g. with find="ab", replace="a", can both pass the pre-check and then one rename replaces the other instead of returning the refusal error this change is meant to guarantee.

Useful? React with 👍 / 👎.

Comment thread rename_other.go
} else if !errors.Is(err, os.ErrNotExist) {
return fmt.Errorf("stat rename destination %v: %w", newpath, err)
}
return os.Rename(oldpath, newpath)
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot May 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Avoid the fallback clobbering race on other Unix targets

For the !linux && !darwin && !windows build, this helper is still a stat-then-os.Rename, and on Unix targets such as FreeBSD/Solaris rename replaces an existing non-directory destination. If another concurrent rename creates newpath after the check, including sibling files processed by this tool whose names map to the same replacement target, this path can silently overwrite that file rather than preserving the no-replace guarantee.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

TOCTOU race in RenameFile silently overwrites concurrently-created destination

1 participant

@leno23