fix(node-host): harden pnpm approval binding

2026-05-04 19:40:22 +00:00 · 2026-03-13 12:57:21 +00:00
parent af4731aa5f
commit 2f03de029c
4 changed files with 79 additions and 11 deletions
--- a/src/node-host/invoke-system-run-plan.test.ts
+++ b/src/node-host/invoke-system-run-plan.test.ts
@@ -40,6 +40,7 @@ type RuntimeFixture = {
  initialBody: string;
  expectedArgvIndex: number;
  binName?: string;
+  binNames?: string[];
 };

 function createScriptOperandFixture(tmp: string, fixture?: RuntimeFixture): ScriptOperandFixture {
@@ -356,6 +357,20 @@ describe("hardenApprovedExecutionPaths", () => {
      initialBody: 'console.log("SAFE");\n',
      expectedArgvIndex: 3,
    },
+    {
+      name: "pnpm reporter exec tsx file",
+      argv: ["pnpm", "--reporter", "silent", "exec", "tsx", "./run.ts"],
+      scriptName: "run.ts",
+      initialBody: 'console.log("SAFE");\n',
+      expectedArgvIndex: 5,
+    },
+    {
+      name: "pnpm reporter-equals exec tsx file",
+      argv: ["pnpm", "--reporter=silent", "exec", "tsx", "./run.ts"],
+      scriptName: "run.ts",
+      initialBody: 'console.log("SAFE");\n',
+      expectedArgvIndex: 4,
+    },
    {
      name: "pnpm js shim exec tsx file",
      argv: ["./pnpm.js", "exec", "tsx", "./run.ts"],
@@ -370,6 +385,22 @@ describe("hardenApprovedExecutionPaths", () => {
      initialBody: 'console.log("SAFE");\n',
      expectedArgvIndex: 4,
    },
+    {
+      name: "pnpm node file",
+      argv: ["pnpm", "node", "./run.js"],
+      scriptName: "run.js",
+      initialBody: 'console.log("SAFE");\n',
+      expectedArgvIndex: 2,
+      binNames: ["pnpm", "node"],
+    },
+    {
+      name: "pnpm node double-dash file",
+      argv: ["pnpm", "node", "--", "./run.js"],
+      scriptName: "run.js",
+      initialBody: 'console.log("SAFE");\n',
+      expectedArgvIndex: 3,
+      binNames: ["pnpm", "node"],
+    },
    {
      name: "npx tsx file",
      argv: ["npx", "tsx", "./run.ts"],
@@ -395,9 +426,9 @@ describe("hardenApprovedExecutionPaths", () => {

  for (const runtimeCase of mutableOperandCases) {
    it(`captures mutable ${runtimeCase.name} operands in approval plans`, () => {
-      const binNames = runtimeCase.binName
-        ? [runtimeCase.binName]
-        : ["bunx", "pnpm", "npm", "npx", "tsx"];
+      const binNames =
+        runtimeCase.binNames ??
+        (runtimeCase.binName ? [runtimeCase.binName] : ["bunx", "pnpm", "npm", "npx", "tsx"]);
      withFakeRuntimeBins({
        binNames,
        run: () => {