* fix(security): use icacls /sid for locale-independent Windows ACL audit
On non-English Windows editions (Russian, Chinese, etc.) icacls prints
account names in the system locale. When Node.js reads the output in a
different code page the strings are garbled (e.g. "NT AUTHORITY\???????"
for "NT AUTHORITY\СИСТЕМА"), causing summarizeWindowsAcl to classify SYSTEM
and Administrators as untrusted and flag the config files as "others
writable" — a false-positive security alert.
Fix:
1. Pass /sid to icacls so it outputs security identifiers (*S-1-5-X-...)
instead of locale-dependent account names.
2. Extend SID_RE to accept the leading * that icacls prepends to SIDs in
/sid mode: /^\*?s-\d+-\d+(-\d+)+$/i
3. Strip the * before looking up the bare SID in TRUSTED_SIDS / the
per-user USERSID set so *S-1-5-18 is correctly classified as SYSTEM
(trusted) and *S-1-5-32-544 as Administrators (trusted).
Tests:
- Update the inspectWindowsAcl "returns parsed ACL entries" assertion to
expect the /sid flag in the icacls call.
- Add "classifies *S-1-5-18 (icacls /sid prefix form of SYSTEM) as trusted"
SID classification test.
- Add "classifies *S-1-5-32-544 (icacls /sid Administrators) as trusted".
- Add inspectWindowsAcl end-to-end test with /sid-format mock output
(*S-1-5-18, *S-1-5-32-544, user SID) — all three classified as trusted.
Fixes#35834
* fix(security): classify world-equivalent SIDs as 'world' when using icacls /sid
When icacls is invoked with /sid, world-equivalent principals like
Everyone, Authenticated Users, and BUILTIN\Users are emitted as raw
SIDs (*S-1-1-0, *S-1-5-11, *S-1-5-32-545). classifyPrincipal() had
no SID-based mapping for these, so they fell through to the generic
'group' category instead of 'world', silently downgrading security
findings that should trigger world-write/world-readable alerts.
Fix: add a WORLD_SIDS constant and check it before falling back to
'group'. Add three regression tests to lock in the behaviour.
* Security: resolve owner SID fallback for Windows ACL audit
---------
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
* fix(telegram): resolve session entry for /stop in forum topics
Fixes#38675
- Export normalizeStoreSessionKey from store.ts for reuse
- Use it in resolveSessionEntryForKey so topic session keys (lowercase
in store) are found when handling /stop
- Add test for forum topic session key lookup
* fix(telegram): share native topic routing with inbound messages
* fix: land telegram topic routing follow-up (#38871)
---------
Co-authored-by: xialonglee <li.xialong@xydigit.com>
The nodes tool was passing rawCommand: formatExecCommand(command) to
system.run.prepare, which produced the full formatted argv string
(e.g. 'powershell -Command "echo hello"'). However,
validateSystemRunCommandConsistency() recognizes shell wrappers like
powershell/bash and extracts the inner command as the 'inferred' value
(e.g. 'echo hello'). This caused a rawCommand vs inferred mismatch,
breaking all nodes run commands with shell wrappers.
The fix removes the explicit rawCommand parameter, letting the
validation correctly infer the command text from the argv array.
Fixes#33080
