fix: use SID-based ACL classification for non-English Windows

2026-05-09 05:17:40 +00:00 · 2026-02-22 09:13:50 +00:00
parent 35d5bd4e07
commit 85a3c0c818
2 changed files with 131 additions and 0 deletions
--- a/src/security/windows-acl.ts
+++ b/src/security/windows-acl.ts
@@ -37,6 +37,13 @@ const TRUSTED_BASE = new Set([
 const WORLD_SUFFIXES = ["\\users", "\\authenticated users"];
 const TRUSTED_SUFFIXES = ["\\administrators", "\\system"];

+const SID_RE = /^s-\d+-\d+(-\d+)+$/i;
+const TRUSTED_SIDS = new Set([
+  "s-1-5-18",
+  "s-1-5-32-544",
+  "s-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464",
+]);
+
 const normalize = (value: string) => value.trim().toLowerCase();

 export function resolveWindowsUserPrincipal(env?: NodeJS.ProcessEnv): string | null {
@@ -59,6 +66,10 @@ function buildTrustedPrincipals(env?: NodeJS.ProcessEnv): Set<string> {
      trusted.add(normalize(userOnly));
    }
  }
+  const userSid = env?.USERSID?.trim().toLowerCase();
+  if (userSid && SID_RE.test(userSid)) {
+    trusted.add(userSid);
+  }
  return trusted;
 }

@@ -68,6 +79,11 @@ function classifyPrincipal(
 ): "trusted" | "world" | "group" {
  const normalized = normalize(principal);
  const trusted = buildTrustedPrincipals(env);
+
+  if (SID_RE.test(normalized)) {
+    return TRUSTED_SIDS.has(normalized) || trusted.has(normalized) ? "trusted" : "group";
+  }
+
  if (trusted.has(normalized) || TRUSTED_SUFFIXES.some((s) => normalized.endsWith(s))) {
    return "trusted";
  }
@@ -118,6 +134,10 @@ export function parseIcaclsOutput(output: string, targetPath: string): WindowsAc
      continue;
    }

+    if (!entry.includes("(")) {
+      continue;
+    }
+
    const idx = entry.indexOf(":");
    if (idx === -1) {
      continue;