fix(security): harden allow-always wrapper persistence

2026-05-08 20:38:27 +00:00 · 2026-02-22 22:54:21 +01:00
parent 4adfe80027
commit 24c954d972
8 changed files with 387 additions and 11 deletions
--- a/src/infra/system-run-command.test.ts
+++ b/src/infra/system-run-command.test.ts
@@ -36,6 +36,22 @@ describe("system run command helpers", () => {
    );
  });

+  test("extractShellCommandFromArgv unwraps known dispatch wrappers before shell wrappers", () => {
+    expect(extractShellCommandFromArgv(["/usr/bin/nice", "/bin/bash", "-lc", "echo hi"])).toBe(
+      "echo hi",
+    );
+    expect(
+      extractShellCommandFromArgv([
+        "/usr/bin/timeout",
+        "--signal=TERM",
+        "5",
+        "zsh",
+        "-lc",
+        "echo hi",
+      ]),
+    ).toBe("echo hi");
+  });
+
  test("extractShellCommandFromArgv supports fish and pwsh wrappers", () => {
    expect(extractShellCommandFromArgv(["fish", "-c", "echo hi"])).toBe("echo hi");
    expect(extractShellCommandFromArgv(["pwsh", "-Command", "Get-Date"])).toBe("Get-Date");