fix: block safeBins sort --compress-program bypass

2026-05-09 16:04:33 +00:00 · 2026-02-21 19:13:53 +01:00
parent bdfb97afad
commit 57fbbaebca
6 changed files with 54 additions and 4 deletions
--- a/src/infra/exec-safe-bin-policy.ts
+++ b/src/infra/exec-safe-bin-policy.ts
@@ -151,7 +151,6 @@ export const SAFE_BIN_PROFILE_FIXTURES: Record<string, SafeBinProfileFixture> =
      "--field-separator",
      "--buffer-size",
      "--temporary-directory",
-      "--compress-program",
      "--parallel",
      "--batch-size",
      "--random-source",
@@ -163,7 +162,8 @@ export const SAFE_BIN_PROFILE_FIXTURES: Record<string, SafeBinProfileFixture> =
      "-T",
      "-o",
    ],
-    blockedFlags: ["--files0-from", "--output", "-o"],
+    // --compress-program can invoke an external executable and breaks stdin-only guarantees.
+    blockedFlags: ["--compress-program", "--files0-from", "--output", "-o"],
  },
  uniq: {
    maxPositional: 0,