Add 6 copy/move safety checks to prevent data loss

- Canonicalize paths in recursion check (prevents ".." and symlink bypass)
- Pre-flight destination writability check (access W_OK)
- Pre-flight disk space validation after scan (statvfs comparison)
- Inode identity check prevents copy-over-self via symlinks/hard links
- Path/name length validation (255-byte name, 1024-byte path limits)
- Special file filtering skips sockets, FIFOs, devices during scan

Author: claude

apps/desktop/src-tauri/src/file_system/write_operations/copy.rs

@@ -12,7 +12,9 @@ use std::time::{Duration, Instant};
 #[cfg(target_os = "macos")]
 use crate::file_system::macos_copy::{CopyProgressContext, copy_single_file_native, copy_symlink};
 
-use super::helpers::{resolve_conflict, safe_overwrite_file, spawn_async_sync};
+use super::helpers::{
+    is_same_file, resolve_conflict, safe_overwrite_file, spawn_async_sync, validate_disk_space, validate_path_length,
+};
 use super::scan::{handle_dry_run, scan_sources, take_cached_scan_result};
 use super::state::{CopyTransaction, WriteOperationState, update_operation_status};
 use super::types::{
@@ -106,6 +108,9 @@ pub(super) fn copy_files_with_progress(
         scan_result.total_bytes
     );
 
+    // Pre-flight disk space check: verify destination has enough free space
+    validate_disk_space(destination, scan_result.total_bytes)?;
+
     // Phase 2: Copy files in sorted order with rollback support
     let mut transaction = CopyTransaction::new();
     let mut files_done = 0;
@@ -344,6 +349,9 @@ fn copy_single_file_sorted(
             (dest_path.clone(), false)
         };
 
+        // Validate destination path length limits
+        validate_path_length(&actual_dest)?;
+
         if needs_safe_overwrite {
             if actual_dest.is_dir() {
                 fs::remove_dir_all(&actual_dest).map_err(|e| WriteOperationError::IoError {
@@ -401,6 +409,20 @@ fn copy_single_file_sorted(
             (dest_path.clone(), false)
         };
 
+        // Validate destination path length limits
+        validate_path_length(&actual_dest)?;
+
+        // Prevent copying a file over itself via symlinks (same inode + device)
+        if is_same_file(source, &actual_dest) {
+            log::warn!(
+                "copy: skipping {}: source and destination resolve to the same file",
+                source.display()
+            );
+            *files_done += 1;
+            *bytes_done += metadata.len();
+            return Ok(());
+        }
+
         // Check cancellation before copy
         if state.cancelled.load(Ordering::Relaxed) {
             return Err(WriteOperationError::Cancelled {
@@ -554,6 +576,9 @@ pub(super) fn copy_path_recursive(
             (dest_path.clone(), false)
         };
 
+        // Validate destination path length limits
+        validate_path_length(&actual_dest)?;
+
         // For symlink overwrite, remove the existing symlink/file first (safe since we can recreate)
         if needs_safe_overwrite {
             if actual_dest.is_dir() {
@@ -610,6 +635,20 @@ pub(super) fn copy_path_recursive(
             (dest_path.clone(), false)
         };
 
+        // Validate destination path length limits
+        validate_path_length(&actual_dest)?;
+
+        // Prevent copying a file over itself via symlinks (same inode + device)
+        if is_same_file(source, &actual_dest) {
+            log::warn!(
+                "copy: skipping {}: source and destination resolve to the same file",
+                source.display()
+            );
+            *files_done += 1;
+            *bytes_done += metadata.len();
+            return Ok(());
+        }
+
         // Check cancellation before copy
         if state.cancelled.load(Ordering::Relaxed) {
             return Err(WriteOperationError::Cancelled {
@@ -730,6 +769,9 @@ pub(super) fn copy_path_recursive(
                 apply_to_all_resolution,
             )?;
         }
+    } else {
+        // Skip special files (sockets, FIFOs, char/block devices)
+        log::warn!("copy: skipping special file: {}", source.display());
     }
 
     Ok(())

apps/desktop/src-tauri/src/file_system/write_operations/helpers.rs

@@ -64,17 +64,160 @@ pub(crate) fn validate_destination_not_inside_source(
     sources: &[PathBuf],
     destination: &Path,
 ) -> Result<(), WriteOperationError> {
+    // Canonicalize destination to resolve symlinks and ".." segments that could
+    // bypass a naive starts_with check (e.g. /foo/bar/../foo/sub → /foo/sub)
+    let canonical_dest = destination.canonicalize().unwrap_or_else(|_| destination.to_path_buf());
+
     for source in sources {
-        if source.is_dir() && destination.starts_with(source) {
-            return Err(WriteOperationError::DestinationInsideSource {
-                source: source.display().to_string(),
-                destination: destination.display().to_string(),
-            });
+        if source.is_dir() {
+            let canonical_source = source.canonicalize().unwrap_or_else(|_| source.to_path_buf());
+            if canonical_dest.starts_with(&canonical_source) {
+                return Err(WriteOperationError::DestinationInsideSource {
+                    source: source.display().to_string(),
+                    destination: destination.display().to_string(),
+                });
+            }
         }
     }
     Ok(())
 }
 
+/// Checks whether the destination directory is writable using access(W_OK).
+#[cfg(unix)]
+pub(crate) fn validate_destination_writable(destination: &Path) -> Result<(), WriteOperationError> {
+    use std::ffi::CString;
+    use std::os::unix::ffi::OsStrExt;
+
+    let c_path = CString::new(destination.as_os_str().as_bytes()).map_err(|_| WriteOperationError::IoError {
+        path: destination.display().to_string(),
+        message: "Invalid path".to_string(),
+    })?;
+
+    // SAFETY: c_path is a valid null-terminated C string
+    let result = unsafe { libc::access(c_path.as_ptr(), libc::W_OK) };
+    if result != 0 {
+        return Err(WriteOperationError::PermissionDenied {
+            path: destination.display().to_string(),
+            message: "Destination folder is not writable. Check folder permissions in Finder.".to_string(),
+        });
+    }
+    Ok(())
+}
+
+#[cfg(not(unix))]
+pub(crate) fn validate_destination_writable(_destination: &Path) -> Result<(), WriteOperationError> {
+    Ok(())
+}
+
+/// Checks available disk space on the destination volume against required bytes.
+/// Uses statvfs on Unix to query free space.
+#[cfg(unix)]
+pub(crate) fn validate_disk_space(destination: &Path, required_bytes: u64) -> Result<(), WriteOperationError> {
+    use std::ffi::CString;
+    use std::mem::MaybeUninit;
+    use std::os::unix::ffi::OsStrExt;
+
+    let c_path = CString::new(destination.as_os_str().as_bytes()).map_err(|_| WriteOperationError::IoError {
+        path: destination.display().to_string(),
+        message: "Invalid path".to_string(),
+    })?;
+
+    let mut stat = MaybeUninit::<libc::statvfs>::uninit();
+    // SAFETY: c_path is a valid null-terminated C string, stat is a valid pointer
+    let result = unsafe { libc::statvfs(c_path.as_ptr(), stat.as_mut_ptr()) };
+    if result != 0 {
+        // Cannot determine space — continue and let the OS report ENOSPC if it happens
+        return Ok(());
+    }
+
+    // SAFETY: statvfs succeeded, stat is initialized
+    let stat = unsafe { stat.assume_init() };
+    // These casts are needed on macOS where f_bavail/f_frsize may not be u64
+    #[allow(
+        clippy::unnecessary_cast,
+        reason = "Required for macOS where statvfs fields are not u64"
+    )]
+    let available = stat.f_bavail as u64 * stat.f_frsize as u64;
+
+    if required_bytes > available {
+        // Determine volume name from mount point for a friendlier message
+        let volume_name = destination
+            .ancestors()
+            .find(|p| p.parent().is_some_and(|pp| pp == Path::new("/Volumes")))
+            .and_then(|p| p.file_name())
+            .map(|n| n.to_string_lossy().to_string());
+
+        return Err(WriteOperationError::InsufficientSpace {
+            required: required_bytes,
+            available,
+            volume_name,
+        });
+    }
+
+    Ok(())
+}
+
+#[cfg(not(unix))]
+pub(crate) fn validate_disk_space(_destination: &Path, _required_bytes: u64) -> Result<(), WriteOperationError> {
+    Ok(())
+}
+
+/// Checks if source and destination resolve to the same file (same inode + device).
+/// This prevents data loss when copying a file over itself via a symlink.
+#[cfg(unix)]
+pub(crate) fn is_same_file(source: &Path, destination: &Path) -> bool {
+    use std::os::unix::fs::MetadataExt;
+
+    let src_meta = match fs::metadata(source) {
+        Ok(m) => m,
+        Err(_) => return false,
+    };
+    let dst_meta = match fs::metadata(destination) {
+        Ok(m) => m,
+        Err(_) => return false,
+    };
+
+    src_meta.dev() == dst_meta.dev() && src_meta.ino() == dst_meta.ino()
+}
+
+#[cfg(not(unix))]
+pub(crate) fn is_same_file(_source: &Path, _destination: &Path) -> bool {
+    false
+}
+
+// ============================================================================
+// Path length validation
+// ============================================================================
+
+/// Maximum file name length in bytes (APFS/HFS+ limit)
+const MAX_NAME_BYTES: usize = 255;
+/// Maximum path length in bytes (macOS PATH_MAX)
+const MAX_PATH_BYTES: usize = 1024;
+
+/// Validates that a destination path doesn't exceed filesystem name/path length limits.
+pub(crate) fn validate_path_length(dest_path: &Path) -> Result<(), WriteOperationError> {
+    // Check total path length
+    let path_str = dest_path.as_os_str();
+    if path_str.len() > MAX_PATH_BYTES {
+        return Err(WriteOperationError::IoError {
+            path: dest_path.display().to_string(),
+            message: format!("Path exceeds maximum length of {} bytes", MAX_PATH_BYTES),
+        });
+    }
+
+    // Check file name component length
+    if let Some(name) = dest_path.file_name()
+        && name.len() > MAX_NAME_BYTES
+    {
+        return Err(WriteOperationError::IoError {
+            path: dest_path.display().to_string(),
+            message: format!("File name exceeds maximum length of {} bytes", MAX_NAME_BYTES),
+        });
+    }
+
+    Ok(())
+}
+
 // ============================================================================
 // Symlink loop detection
 // ============================================================================

apps/desktop/src-tauri/src/file_system/write_operations/mod.rs

@@ -4,6 +4,12 @@
 //! Operations support batch processing (multiple source files) and cancellation.
 //!
 //! Safety features:
+//! - Path canonicalization to prevent ".." and symlink bypass of recursion checks
+//! - Destination writability check before starting
+//! - Pre-flight disk space validation after scan
+//! - Inode identity check to prevent copy-over-self via symlinks/hard links
+//! - Path/name length validation (255-byte name, 1024-byte path)
+//! - Special file filtering (skips sockets, FIFOs, devices)
 //! - macOS copyfile(3) for full metadata preservation (xattrs, ACLs, resource forks)
 //! - Symlink preservation (not dereferenced)
 //! - Symlink loop detection to prevent infinite recursion
@@ -28,7 +34,8 @@ use copy::copy_files_with_progress;
 use delete::delete_files_with_progress;
 #[cfg(not(test))]
 use helpers::{
-    validate_destination, validate_destination_not_inside_source, validate_not_same_location, validate_sources,
+    validate_destination, validate_destination_not_inside_source, validate_destination_writable,
+    validate_not_same_location, validate_sources,
 };
 use move_op::move_files_with_progress;
 #[cfg(not(test))]
@@ -51,7 +58,8 @@ pub use types::{
 #[cfg(test)]
 #[allow(unused_imports, reason = "Re-exports for test modules in file_system")]
 pub(crate) use helpers::{
-    is_same_filesystem, validate_destination, validate_destination_not_inside_source, validate_not_same_location,
+    is_same_file, is_same_filesystem, validate_destination, validate_destination_not_inside_source,
+    validate_destination_writable, validate_disk_space, validate_not_same_location, validate_path_length,
     validate_sources,
 };
 #[cfg(test)]
@@ -84,6 +92,7 @@ pub async fn copy_files_start(
     // Validate inputs
     validate_sources(&sources)?;
     validate_destination(&destination)?;
+    validate_destination_writable(&destination)?;
     validate_not_same_location(&sources, &destination)?;
     validate_destination_not_inside_source(&sources, &destination)?;
 
@@ -166,6 +175,7 @@ pub async fn move_files_start(
     // Validate inputs
     validate_sources(&sources)?;
     validate_destination(&destination)?;
+    validate_destination_writable(&destination)?;
     validate_not_same_location(&sources, &destination)?;
     validate_destination_not_inside_source(&sources, &destination)?;
 

apps/desktop/src-tauri/src/file_system/write_operations/scan.rs

@@ -207,6 +207,9 @@ fn scan_preview_recursive(
                 visited,
             )?;
         }
+    } else {
+        // Skip special files (sockets, FIFOs, char/block devices)
+        log::warn!("scan_preview: skipping special file: {}", path.display());
     }
 
     // Emit progress periodically
@@ -414,6 +417,9 @@ fn scan_path_recursive(
                 visited,
             )?;
         }
+    } else {
+        // Skip special files (sockets, FIFOs, char/block devices)
+        log::warn!("scan: skipping special file: {}", path.display());
     }
 
     // Emit progress periodically
@@ -623,6 +629,9 @@ fn dry_run_scan_recursive(
                 visited,
             )?;
         }
+    } else {
+        // Skip special files (sockets, FIFOs, char/block devices)
+        log::warn!("dry_run_scan: skipping special file: {}", path.display());
     }
 
     // Emit progress periodically