fix(security): harden safeBins long-option validation

2026-05-10 10:55:07 +00:00 · 2026-02-23 23:55:28 +00:00
parent 7b4d2cb5cb
commit 3b8e33037a
4 changed files with 136 additions and 8 deletions
--- a/src/infra/exec-approvals-safe-bins.test.ts
+++ b/src/infra/exec-approvals-safe-bins.test.ts
@@ -81,6 +81,41 @@ describe("exec approvals safe bins", () => {
      takesValue: true,
      label: "blocks sort external program flag",
    }),
+    ...buildDeniedFlagVariantCases({
+      executableName: "sort",
+      resolvedPath: "/usr/bin/sort",
+      flag: "--compress-prog",
+      takesValue: true,
+      label: "blocks sort denied flag abbreviations",
+    }),
+    ...buildDeniedFlagVariantCases({
+      executableName: "sort",
+      resolvedPath: "/usr/bin/sort",
+      flag: "--files0-fro",
+      takesValue: true,
+      label: "blocks sort denied flag abbreviations",
+    }),
+    ...buildDeniedFlagVariantCases({
+      executableName: "sort",
+      resolvedPath: "/usr/bin/sort",
+      flag: "--random-source",
+      takesValue: true,
+      label: "blocks sort filesystem-dependent flags",
+    }),
+    ...buildDeniedFlagVariantCases({
+      executableName: "sort",
+      resolvedPath: "/usr/bin/sort",
+      flag: "--temporary-directory",
+      takesValue: true,
+      label: "blocks sort filesystem-dependent flags",
+    }),
+    ...buildDeniedFlagVariantCases({
+      executableName: "sort",
+      resolvedPath: "/usr/bin/sort",
+      flag: "-T",
+      takesValue: true,
+      label: "blocks sort filesystem-dependent flags",
+    }),
    ...buildDeniedFlagVariantCases({
      executableName: "grep",
      resolvedPath: "/usr/bin/grep",
@@ -123,6 +158,13 @@ describe("exec approvals safe bins", () => {
      takesValue: true,
      label: "blocks wc file-list flag",
    }),
+    ...buildDeniedFlagVariantCases({
+      executableName: "wc",
+      resolvedPath: "/usr/bin/wc",
+      flag: "--files0-fro",
+      takesValue: true,
+      label: "blocks wc denied flag abbreviations",
+    }),
  ];

  const cases: SafeBinCase[] = [
@@ -163,6 +205,22 @@ describe("exec approvals safe bins", () => {
      safeBins: ["grep"],
      executableName: "grep",
    },
+    {
+      name: "rejects unknown long options in safe-bin mode",
+      argv: ["sort", "--totally-unknown=1"],
+      resolvedPath: "/usr/bin/sort",
+      expected: false,
+      safeBins: ["sort"],
+      executableName: "sort",
+    },
+    {
+      name: "rejects ambiguous long-option abbreviations in safe-bin mode",
+      argv: ["sort", "--f=1"],
+      resolvedPath: "/usr/bin/sort",
+      expected: false,
+      safeBins: ["sort"],
+      executableName: "sort",
+    },
  ];

  for (const testCase of cases) {