refactor(security): extract safeBins trust resolver

2026-05-08 03:11:25 +00:00 · 2026-02-18 05:01:25 +01:00
parent e8154c12e6
commit ac0db68235
5 changed files with 221 additions and 81 deletions
--- a/src/infra/exec-approvals.test.ts
+++ b/src/infra/exec-approvals.test.ts
@@ -385,44 +385,60 @@ describe("exec approvals shell allowlist (chained commands)", () => {
 });

 describe("exec approvals safe bins", () => {
-  it("allows safe bins with non-path args", () => {
-    if (process.platform === "win32") {
-      return;
-    }
-    const dir = makeTempDir();
-    const ok = isSafeBinUsage({
-      argv: ["jq", ".foo"],
-      resolution: {
-        rawExecutable: "jq",
-        resolvedPath: "/usr/bin/jq",
-        executableName: "jq",
-      },
-      safeBins: normalizeSafeBins(["jq"]),
-      cwd: dir,
-    });
-    expect(ok).toBe(true);
-  });
+  type SafeBinCase = {
+    name: string;
+    argv: string[];
+    resolvedPath: string;
+    expected: boolean;
+    cwd?: string;
+    setup?: (cwd: string) => void;
+  };

-  it("blocks safe bins with file args", () => {
-    if (process.platform === "win32") {
-      return;
-    }
-    const dir = makeTempDir();
-    fs.writeFileSync(path.join(dir, "secret.json"), "{}");
-    const ok = isSafeBinUsage({
+  const cases: SafeBinCase[] = [
+    {
+      name: "allows safe bins with non-path args",
+      argv: ["jq", ".foo"],
+      resolvedPath: "/usr/bin/jq",
+      expected: true,
+    },
+    {
+      name: "blocks safe bins with file args",
      argv: ["jq", ".foo", "secret.json"],
-      resolution: {
-        rawExecutable: "jq",
-        resolvedPath: "/usr/bin/jq",
-        executableName: "jq",
-      },
-      safeBins: normalizeSafeBins(["jq"]),
-      cwd: dir,
-    });
-    expect(ok).toBe(false);
-  });
+      resolvedPath: "/usr/bin/jq",
+      expected: false,
+      setup: (cwd) => fs.writeFileSync(path.join(cwd, "secret.json"), "{}"),
+    },
+    {
+      name: "blocks safe bins resolved from untrusted directories",
+      argv: ["jq", ".foo"],
+      resolvedPath: "/tmp/evil-bin/jq",
+      expected: false,
+      cwd: "/tmp",
+    },
+  ];

-  it("blocks safe bins resolved from untrusted directories", () => {
+  for (const testCase of cases) {
+    it(testCase.name, () => {
+      if (process.platform === "win32") {
+        return;
+      }
+      const cwd = testCase.cwd ?? makeTempDir();
+      testCase.setup?.(cwd);
+      const ok = isSafeBinUsage({
+        argv: testCase.argv,
+        resolution: {
+          rawExecutable: "jq",
+          resolvedPath: testCase.resolvedPath,
+          executableName: "jq",
+        },
+        safeBins: normalizeSafeBins(["jq"]),
+        cwd,
+      });
+      expect(ok).toBe(testCase.expected);
+    });
+  }
+
+  it("supports injected trusted safe-bin dirs for tests/callers", () => {
    if (process.platform === "win32") {
      return;
    }
@@ -430,13 +446,14 @@ describe("exec approvals safe bins", () => {
      argv: ["jq", ".foo"],
      resolution: {
        rawExecutable: "jq",
-        resolvedPath: "/tmp/evil-bin/jq",
+        resolvedPath: "/custom/bin/jq",
        executableName: "jq",
      },
      safeBins: normalizeSafeBins(["jq"]),
+      trustedSafeBinDirs: new Set(["/custom/bin"]),
      cwd: "/tmp",
    });
-    expect(ok).toBe(false);
+    expect(ok).toBe(true);
  });
 });