Skip to content

[pull] main from jdx:main#425

Merged
pull[bot] merged 9 commits into
AmadeusITGroup:mainfrom
jdx:main
Jun 24, 2026
Merged

[pull] main from jdx:main#425
pull[bot] merged 9 commits into
AmadeusITGroup:mainfrom
jdx:main

Conversation

@pull

@pull pull Bot commented Jun 24, 2026

Copy link
Copy Markdown

See Commits and Changes for more details.


Created by pull[bot] (v2.0.0-alpha.4)

Can you help keep this open source service alive? 💖 Please sponsor : )

elerch and others added 9 commits June 24, 2026 13:14
Co-authored-by: Jeff Dickey <jdx@mini-base.local>
Co-authored-by: Jeff Dickey <jdx@Jeffs-MacBook-Pro.local>
Co-authored-by: Jeff Dickey <jdx@Jeffs-MacBook-Pro.local>
Co-authored-by: Jeff Dickey <jdx@Jeffs-MacBook-Pro.local>
Co-authored-by: Jeff Dickey <jdx@Jeffs-MacBook-Pro.local>
Co-authored-by: Jeff Dickey <jdx@Jeffs-MacBook-Pro.local>
Co-authored-by: Jeff Dickey <jdx@Jeffs-MacBook-Pro.local>
## Summary

Fixes [discussion
#10483](#10483): on systems where
the shell's working-directory prefix differs from mise's resolved
`$HOME` via a symlink — notably **Fedora Atomic / ostree**, where
`/home` is a symlink to `/var/home` — files in the global config dir
(`~/.config/mise/conf.d/*.toml`, `config.toml`, etc.) are wrongly
treated as **non-global**. Global-only settings get stripped and the
user sees:

```
mise WARN  yes in non-global config /var/home/.../conf.d/externally-managed.toml is ignored for security reasons
```

## Root cause

The same file is produced in two string forms:
- Local discovery globs `.config/mise/conf.d/*.toml` relative to the
shell PWD → `/var/home/<user>/.config/mise/conf.d/x.toml`.
- `global_config_files()` builds it from `$HOME` →
`/home/<user>/.config/mise/conf.d/x.toml`.

`load_config_paths` already treats these as one file (it dedupes via
`file::desymlink_path`), but the security gate
`is_global_config`/`is_system_config` used **raw string equality**
(`IndexSet::contains`). The PWD-derived path isn't byte-equal to the
`$HOME`-derived entry, so the file is judged non-global and
`strip_local_only_settings` removes the global-only keys.

## Fix

Make the global/system membership checks symlink-aware, reusing the
existing `file::desymlink_path` helper that the dedupe path already
trusts. A new private `config_set_contains` keeps a raw-equality **fast
path** (no filesystem hit) and only canonicalizes on a miss:

```rust
fn config_set_contains(set: &IndexSet<PathBuf>, path: &Path) -> bool {
    if set.contains(path) {
        return true;
    }
    let target = file::desymlink_path(path);
    set.iter().any(|p| file::desymlink_path(p) == target)
}
```

`is_global_config`/`is_system_config` now call it. With no symlinked
home (the common case) behavior is unchanged — the fast path matches and
no extra filesystem calls are made. The change only makes
genuinely-global files be recognized as global; it cannot classify an
unrelated local file as global unless it canonicalizes to the exact same
path as a real global config file.

## Testing

Pure, CI-runnable unit test (`#[cfg(unix)]`, models the `/home` →
`/var/home` setup with a real tempdir symlink):
`test_config_set_contains_matches_symlinked_prefix` in
`src/config/mod.rs`. It asserts an exact match (fast path), a
symlinked-prefix match (the bug — false before the fix), and a
non-member. Fails on the unpatched tree, passes after.

`rustfmt --edition 2024 --check` passes.

> [!NOTE]
> The authoring sandbox can't build mise (insufficient memory), so
compile/clippy/tests are left to CI. Manual check for a maintainer on an
ostree box (`/home` → `/var/home`): put `yes = true` in
`~/.config/mise/conf.d/x.toml`, run a mise command from `$HOME`, and
confirm the "ignored for security reasons" warning is gone and the
setting is honored; a genuinely local `mise.toml` with a global-only key
should still warn/strip.

🤖 Generated with [Claude Code](https://claude.com/claude-code)


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
* Improved detection of global and system configuration files when
reached via symlinked path prefixes.
* Configuration matching now correctly recognizes the same config file
through canonicalized/desymlinked paths, reducing missed valid configs.
* **Tests**
* Added coverage to ensure config matching works for both exact paths
and symlink-prefix aliases.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
@pull pull Bot locked and limited conversation to collaborators Jun 24, 2026
@pull pull Bot added the ⤵️ pull label Jun 24, 2026
@pull pull Bot merged commit 68fd24a into AmadeusITGroup:main Jun 24, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants