You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Reviewed the one-commit change to main.go that makes clean remove session dirs after stopping containers.
Issues flagged inline:
Silent error suppression (main.go:218-224) — _ = os.RemoveAll(...) hides exactly the failure mode this PR is meant to address. If removal fails (perms, open file, etc.), the user gets no signal and the leftover persists. Surface with at least slog.Warn.
Path-traversal via user-supplied session arg (main.go:222) — session comes straight from CLI args. filepath.Join(sessionsDir, "..") resolves to the parent of sessionsDir, so playground clean .. would RemoveAll the whole playground state dir. Validate that the joined path stays under sessionsDir, or reject names with path separators / ...
Early-return skips cleanup on partial failure (main.go:213) — If StopSession errors on any one session in the loop, the function returns before the new dir-removal block runs. For clean all, one failing docker-compose down means none of the remaining session dirs get cleaned — the exact leak this PR addresses. Consider best-effort: collect errors from the stop loop but still attempt dir cleanup.
Other notes (non-blocking):
The temp bind-mount dir under $TMPDIR/builder-playground/<sessionID> (see utils/temp.go) is not touched by this change. clean all users may reasonably expect those to be cleaned too; today they're only "auto-removed at reboot" per the warning in main.go:739.
GetLocalSessions() only returns sessions that still have docker containers, so clean all won't enumerate orphaned session dirs. That's fine here because the isAll branch removes the whole sessionsDir wholesale — but it does mean the latest symlink disappears as a side effect, which is probably the intent.
· Branch: caner/clean-all-remove-dirs
Re-reviewed after fixup commit c3cb3a1 ("simplify logic and handle errors").
Status of issues from the prior round:
Silent error suppression — fixed in c3cb3a1. os.RemoveAll failures are now surfaced via slog.Warn for both the all and per-session paths.
Path-traversal via user-supplied session arg — still present (main.go:228). session is unvalidated; playground clean .. resolves filepath.Join(sessionsDir, "..") to the parent of sessionsDir and os.RemoveAll wipes the entire playground state dir. clean ../.. can reach further, up to ~/.local/state. See inline comment for a fix sketch using filepath.Rel.
Early-return skips cleanup on partial StopSession failure — still present (main.go:207-212 → early-returns before the new cleanup block at main.go:213). For clean all, one failing docker-compose down means every remaining session dir leaks — the regression this PR is meant to eliminate. See inline comment for a best-effort sketch using errors.Join.
Other notes (non-blocking, unchanged from prior review):
Temp bind-mount dirs under $TMPDIR/builder-playground/<sessionID> (see utils/temp.go) are still not touched by clean. Users running clean all may reasonably expect those too.
GetLocalSessions() only enumerates sessions that still have docker containers, so orphaned session dirs won't be cleaned by name — but the isAll branch RemoveAlls the whole sessionsDir wholesale, so this is only an issue for the per-session path.
· Branch: caner/clean-all-remove-dirs
Re-review (after commit e466b63 "avoid accidental dir removal")
Status of issues from prior review rounds:
Silent error suppression — fixed in c3cb3a1 (first re-review round). os.RemoveAll failures are surfaced via slog.Warn on both paths.
Path-traversal via user-supplied session arg — fixed in e466b63. The new sessionNameRegex (^[a-z0-9]+(-[a-z0-9]+)*$) at main.go:184 is validated before cleanup and disallows /, \, ., and .., matching the format produced by utils.GeneratePetName(). Refusing to combine all with named sessions is also a nice tightening.
Early-return on partial StopSession failure — still present (main.go:221-226 → return err short-circuits before the new cleanup block at main.go:227). For clean all, one failing docker-compose down still leaks every remaining session dir — the regression this PR is meant to eliminate. See the inline comment on main.go:227 for a sketch using errors.Join on the clean path.
Other notes (non-blocking, unchanged from prior rounds):
Temp bind-mount dirs under $TMPDIR/builder-playground/<sessionID> (see utils/temp.go) are still not touched by clean. Users running clean all may reasonably expect those too.
GetLocalSessions() only enumerates sessions with live docker containers, so orphaned session dirs won't be cleaned by name — but the isAll branch wipes sessionsDir wholesale, so this only matters on the per-session path.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
No description provided.