fix(security): harden exec wrapper allowlist execution parity

2026-05-09 23:14:32 +00:00 · 2026-02-24 01:51:33 +00:00
parent 5eb72ab769
commit a1c4bf07c6
12 changed files with 289 additions and 65 deletions
--- a/src/infra/exec-approvals-safe-bins.test.ts
+++ b/src/infra/exec-approvals-safe-bins.test.ts
@@ -221,6 +221,14 @@ describe("exec approvals safe bins", () => {
      safeBins: ["sort"],
      executableName: "sort",
    },
+    {
+      name: "rejects unknown short options in safe-bin mode",
+      argv: ["tr", "-S", "a", "b"],
+      resolvedPath: "/usr/bin/tr",
+      expected: false,
+      safeBins: ["tr"],
+      executableName: "tr",
+    },
  ];

  for (const testCase of cases) {
@@ -464,4 +472,21 @@ describe("exec approvals safe bins", () => {
    expect(result.segmentSatisfiedBy).toEqual([null]);
    expect(result.segments[0]?.resolution?.resolvedPath).toBe(fakeHead);
  });
+
+  it("fails closed for semantic env wrappers in allowlist mode", () => {
+    if (process.platform === "win32") {
+      return;
+    }
+    const result = evaluateShellAllowlist({
+      command: "env -S 'sh -c \"echo pwned\"' tr",
+      allowlist: [{ pattern: "/usr/bin/tr" }],
+      safeBins: normalizeSafeBins(["tr"]),
+      cwd: "/tmp",
+      platform: process.platform,
+    });
+    expect(result.analysisOk).toBe(true);
+    expect(result.allowlistSatisfied).toBe(false);
+    expect(result.segmentSatisfiedBy).toEqual([null]);
+    expect(result.segments[0]?.resolution?.policyBlocked).toBe(true);
+  });
 });