refactor(security): simplify safe-bin validation structure

2026-05-08 09:21:23 +00:00 · 2026-02-19 14:29:58 +01:00
parent 74c51aeb1e
commit 165c18819e
3 changed files with 101 additions and 104 deletions
--- a/src/infra/exec-approvals.test.ts
+++ b/src/infra/exec-approvals.test.ts
@@ -494,7 +494,6 @@ describe("exec approvals safe bins", () => {
          executableName,
        },
        safeBins: normalizeSafeBins(testCase.safeBins ?? [executableName]),
-        cwd,
      });
      expect(ok).toBe(testCase.expected);
    });
@@ -513,7 +512,6 @@ describe("exec approvals safe bins", () => {
      },
      safeBins: normalizeSafeBins(["jq"]),
      trustedSafeBinDirs: new Set(["/custom/bin"]),
-      cwd: "/tmp",
    });
    expect(ok).toBe(true);
  });
@@ -540,48 +538,22 @@ describe("exec approvals safe bins", () => {
      argv: ["sort", "-o", "existing.txt"],
      resolution,
      safeBins,
-      cwd,
    });
    const missing = isSafeBinUsage({
      argv: ["sort", "-o", "missing.txt"],
      resolution,
      safeBins,
-      cwd,
    });
    const longFlag = isSafeBinUsage({
      argv: ["sort", "--output=missing.txt"],
      resolution,
      safeBins,
-      cwd,
    });
    expect(existing).toBe(false);
    expect(missing).toBe(false);
    expect(longFlag).toBe(false);
  });

-  it("does not consult file existence callbacks for safe-bin decisions", () => {
-    if (process.platform === "win32") {
-      return;
-    }
-    let checkedExists = false;
-    const ok = isSafeBinUsage({
-      argv: ["sort", "-o", "target.txt"],
-      resolution: {
-        rawExecutable: "sort",
-        resolvedPath: "/usr/bin/sort",
-        executableName: "sort",
-      },
-      safeBins: normalizeSafeBins(["sort"]),
-      cwd: "/tmp",
-      fileExists: () => {
-        checkedExists = true;
-        return true;
-      },
-    });
-    expect(ok).toBe(false);
-    expect(checkedExists).toBe(false);
-  });
-
  it("threads trusted safe-bin dirs through allowlist evaluation", () => {
    if (process.platform === "win32") {
      return;
@@ -847,7 +819,6 @@ describe("exec approvals node host allowlist check", () => {
      argv: ["unknown-tool", "--help"],
      resolution,
      safeBins: normalizeSafeBins(["jq", "curl"]),
-      cwd: "/tmp",
    });
    expect(safe).toBe(false);
  });
@@ -868,7 +839,6 @@ describe("exec approvals node host allowlist check", () => {
      argv: ["jq", ".foo"],
      resolution,
      safeBins: normalizeSafeBins(["jq"]),
-      cwd: "/tmp",
    });
    // Safe bins are disabled on Windows (PowerShell parsing/expansion differences).
    if (process.platform === "win32") {