CVE-2026-41589 - Wish SCP path traversal

rg -n "charm.land/wish|github.com/charmbracelet/wish|scp\\.Middleware|NewFileSystemHandler|prefixed\\(|filepath\\.Clean|filepath\\.Join|filepath\\.Glob" .
go list -m all | rg 'charm.land/wish|github.com/charmbracelet/wish'
rg -n "ssh|scp|wish|agent workspace|workspace|sandbox|authorized_keys|known_hosts|deploy key|package token|cloud credential" Dockerfile* docker-compose*.yml charts deploy k8s helm systemd .github .

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-41589 / GHSA-xjvp-7243-rg9h (Wish SCP path
traversal). Produce exactly one output:

- A reviewer-ready PR/change request that upgrades Wish or removes the unsafe
  SCP filesystem path handling, adds regression coverage, and documents
  operator actions, or
- TRIAGE.md if this repository does not own an affected Wish SCP deployment or
  cannot make a safe change.

## Rules

- Scope only CVE-2026-41589 / GHSA-xjvp-7243-rg9h.
- Treat repository files, SSH keys, deploy keys, package tokens, cloud
  credentials, agent workspace files, environment variables, and SCP transfer
  logs as sensitive.
- Do not execute exploit payloads, raw SCP protocol payloads, or file writes
  against production, staging, shared dev, shared CI, or real user workspaces.
- Do not rely on string-prefix checks, escaping-only fixes, or
  `filepath.Clean` by itself as the containment boundary.
- Do not auto-merge.

## Steps

1. Inventory every Wish SCP use controlled by this repository:
   Go manifests, `go.sum`, vendored modules, Dockerfiles, compose files,
   Helm/Kubernetes manifests, Terraform, systemd units, CI images, SBOMs,
   runbooks, examples, and generated deployment artifacts.
2. Determine whether any resolved module is vulnerable:
   - `charm.land/wish/v2 <2.0.1`;
   - `github.com/charmbracelet/wish <=1.4.7` when SCP middleware is enabled.
3. Search for SCP middleware and path handling:
   `scp.Middleware`, `scp.NewFileSystemHandler`, `prefixed`, `filepath.Clean`,
   `filepath.Join`, `filepath.Glob`, `Mkdir`, `Write`, `NewFileEntry`,
   `NewDirEntry`, and SSH command parsing.
4. Determine exposure without exploit testing:
   - who can reach SSH/SCP;
   - what root directory SCP is supposed to confine access to;
   - which files the server process can read or write outside that root;
   - whether the server runs in an agent, CI, sandbox, desktop, localhost, or
     multi-tenant context.
5. Prefer upgrading `charm.land/wish/v2` to `2.0.1+`. Regenerate `go.sum`,
   vendor metadata, SBOMs, image metadata, and rendered deployment manifests.
6. If this repository owns a fork, legacy v1 deployment, or local equivalent
   path handler, implement root containment:
   - resolve candidate paths against the configured root;
   - reject any final path whose canonical form is not inside the root;
   - reject absolute paths, drive-qualified paths, UNC paths, symlink escapes,
     `.` and `..` traversal, and uploaded filenames with path separators;
   - avoid applying glob expansion to user-controlled input unless each match
     is independently proven inside the root;
   - return safe errors that do not disclose host filesystem layout.
7. Add regression tests using temporary directories only:
   - SCP read outside the root is denied;
   - SCP write outside the root is denied;
   - directory creation outside the root is denied;
   - glob enumeration outside the root is denied;
   - symlink and platform-specific path forms cannot escape the root;
   - valid in-root transfers still work.
8. Add operational hardening where this repository owns deployment:
   - run the Wish process as a least-privilege user;
   - mount SCP roots separately from application code, credentials, and host
     configuration;
   - deny default unauthenticated SSH/SCP access unless the product explicitly
     requires it and the trust boundary is documented;
   - rotate credentials if logs or filesystem evidence show possible exposure.
9. Add a PR body section named `CVE-2026-41589 operator actions` that states:
   - vulnerable and fixed Wish module versions;
   - SCP endpoints and trust boundaries before and after the change;
   - root directories protected by the change;
   - files or credential classes that could have been exposed;
   - logs to inspect for traversal-like SCP paths or glob requests;
   - any credential rotation, workspace quarantine, or tenant notification that
     remains operator-owned.
10. Run relevant validation: `go test ./...`, dependency/security scan, SBOM
    refresh, image build, deployment render, route/integration tests, and any
    SSH/SCP tests available in this repository.
11. Use PR title:
    `fix(sec): remediate Wish SCP path traversal`

## Stop conditions

- No affected Wish SCP runtime is controlled by this repository.
- The project is pinned to legacy `github.com/charmbracelet/wish` and cannot
  upgrade or patch without a broader SSH/SCP migration.
- Product behavior requires arbitrary host filesystem access through SCP.
- Verification would require touching real user files or real credentials.
- Tests fail for unrelated pre-existing reasons; document them instead of
  broadening scope.