refactor: harden safe-bin trusted dir diagnostics

2026-05-10 03:22:44 +00:00 · 2026-02-24 23:29:12 +00:00
parent 5c2a483375
commit 4355e08262
10 changed files with 391 additions and 7 deletions
--- a/src/infra/exec-safe-bin-runtime-policy.ts
+++ b/src/infra/exec-safe-bin-runtime-policy.ts
@@ -6,7 +6,12 @@ import {
  type SafeBinProfileFixture,
  type SafeBinProfileFixtures,
 } from "./exec-safe-bin-policy.js";
-import { getTrustedSafeBinDirs, normalizeTrustedSafeBinDirs } from "./exec-safe-bin-trust.js";
+import {
+  getTrustedSafeBinDirs,
+  listWritableExplicitTrustedSafeBinDirs,
+  normalizeTrustedSafeBinDirs,
+  type WritableTrustedSafeBinDir,
+} from "./exec-safe-bin-trust.js";

 export type ExecSafeBinConfigScope = {
  safeBins?: string[] | null;
@@ -99,12 +104,14 @@ export function resolveMergedSafeBinProfileFixtures(params: {
 export function resolveExecSafeBinRuntimePolicy(params: {
  global?: ExecSafeBinConfigScope | null;
  local?: ExecSafeBinConfigScope | null;
+  onWarning?: (message: string) => void;
 }): {
  safeBins: Set<string>;
  safeBinProfiles: Readonly<Record<string, SafeBinProfile>>;
  trustedSafeBinDirs: ReadonlySet<string>;
  unprofiledSafeBins: string[];
  unprofiledInterpreterSafeBins: string[];
+  writableTrustedSafeBinDirs: ReadonlyArray<WritableTrustedSafeBinDir>;
 } {
  const safeBins = resolveSafeBins(params.local?.safeBins ?? params.global?.safeBins);
  const safeBinProfiles = resolveSafeBinProfiles(
@@ -116,17 +123,35 @@ export function resolveExecSafeBinRuntimePolicy(params: {
  const unprofiledSafeBins = Array.from(safeBins)
    .filter((entry) => !safeBinProfiles[entry])
    .toSorted();
+  const explicitTrustedSafeBinDirs = [
+    ...normalizeTrustedSafeBinDirs(params.global?.safeBinTrustedDirs),
+    ...normalizeTrustedSafeBinDirs(params.local?.safeBinTrustedDirs),
+  ];
  const trustedSafeBinDirs = getTrustedSafeBinDirs({
-    extraDirs: [
-      ...normalizeTrustedSafeBinDirs(params.global?.safeBinTrustedDirs),
-      ...normalizeTrustedSafeBinDirs(params.local?.safeBinTrustedDirs),
-    ],
+    extraDirs: explicitTrustedSafeBinDirs,
  });
+  const writableTrustedSafeBinDirs = listWritableExplicitTrustedSafeBinDirs(
+    explicitTrustedSafeBinDirs,
+  );
+  if (params.onWarning) {
+    for (const hit of writableTrustedSafeBinDirs) {
+      const scope =
+        hit.worldWritable || hit.groupWritable
+          ? hit.worldWritable
+            ? "world-writable"
+            : "group-writable"
+          : "writable";
+      params.onWarning(
+        `exec: safeBinTrustedDirs includes ${scope} directory '${hit.dir}'; remove trust or tighten permissions (for example chmod 755).`,
+      );
+    }
+  }
  return {
    safeBins,
    safeBinProfiles,
    trustedSafeBinDirs,
    unprofiledSafeBins,
    unprofiledInterpreterSafeBins: listInterpreterLikeSafeBins(unprofiledSafeBins),
+    writableTrustedSafeBinDirs,
  };
 }