fix: harden exec allowlist regex literal handling (#32162) (thanks @stakeswky)

2026-05-11 20:13:43 +00:00 · 2026-03-02 21:26:09 +00:00
parent 8da8756f76
commit 21d6d878ce
2 changed files with 11 additions and 0 deletions
--- a/src/infra/exec-approvals.test.ts
+++ b/src/infra/exec-approvals.test.ts
@@ -102,6 +102,16 @@ describe("exec approvals allowlist matching", () => {
    });
    expect(match?.pattern).toBe("/usr/bin/*++");
  });
+
+  it("matches paths containing []() regex tokens literally", () => {
+    const literalPattern = "/opt/builds/tool[1](stable)";
+    const match = matchAllowlist([{ pattern: literalPattern }], {
+      rawExecutable: literalPattern,
+      resolvedPath: literalPattern,
+      executableName: "tool[1](stable)",
+    });
+    expect(match?.pattern).toBe(literalPattern);
+  });
 });

 describe("mergeExecApprovalsSocketDefaults", () => {