fix(exec): keep awk and sed out of safeBins fast path (#58175)

* wip(exec): preserve safe-bin semantics progress * test(exec): cover safe-bin semantic variants * fix(exec): address safe-bin review follow-up
2026-05-04 12:00:24 +00:00 · 2026-03-31 19:29:53 +09:00
parent 330a9f98cb
commit 57fccca2dc
7 changed files with 177 additions and 4 deletions
--- a/src/infra/exec-safe-bin-semantics.test.ts
+++ b/src/infra/exec-safe-bin-semantics.test.ts
@@ -0,0 +1,85 @@
+import { describe, expect, it } from "vitest";
+import {
+  listRiskyConfiguredSafeBins,
+  validateSafeBinSemantics,
+} from "./exec-safe-bin-semantics.js";
+
+describe("exec safe-bin semantics", () => {
+  it("rejects awk and sed variants even when configured via path-like entries", () => {
+    expect(
+      validateSafeBinSemantics({
+        binName: "/opt/homebrew/bin/gawk",
+        positional: ['BEGIN { system("id") }'],
+      }),
+    ).toBe(false);
+    expect(
+      validateSafeBinSemantics({
+        binName: "C:\\Tools\\mawk.exe",
+        positional: ['BEGIN { print ENVIRON["HOME"] }'],
+      }),
+    ).toBe(false);
+    expect(
+      validateSafeBinSemantics({
+        binName: "nawk",
+        positional: ['BEGIN { print "hi" > "/tmp/out" }'],
+      }),
+    ).toBe(false);
+    expect(
+      validateSafeBinSemantics({
+        binName: "/usr/local/bin/gsed",
+        positional: ["e"],
+      }),
+    ).toBe(false);
+  });
+
+  it("reports normalized risky configured safe bins once per executable family member", () => {
+    expect(
+      listRiskyConfiguredSafeBins([
+        " Awk ",
+        "/opt/homebrew/bin/gawk",
+        "C:\\Tools\\mawk.exe",
+        "nawk",
+        "sed",
+        "/usr/local/bin/gsed",
+        "jq",
+        "jq",
+      ]),
+    ).toEqual([
+      {
+        bin: "awk",
+        warning:
+          "awk-family interpreters can execute commands, access ENVIRON, and write files, so prefer explicit allowlist entries or approval-gated runs instead of safeBins.",
+      },
+      {
+        bin: "gawk",
+        warning:
+          "awk-family interpreters can execute commands, access ENVIRON, and write files, so prefer explicit allowlist entries or approval-gated runs instead of safeBins.",
+      },
+      {
+        bin: "gsed",
+        warning:
+          "sed scripts can execute commands and write files, so prefer explicit allowlist entries or approval-gated runs instead of safeBins.",
+      },
+      {
+        bin: "jq",
+        warning:
+          "jq supports broad jq programs and builtins (for example `env`), so prefer explicit allowlist entries or approval-gated runs instead of safeBins.",
+      },
+      {
+        bin: "mawk",
+        warning:
+          "awk-family interpreters can execute commands, access ENVIRON, and write files, so prefer explicit allowlist entries or approval-gated runs instead of safeBins.",
+      },
+      {
+        bin: "nawk",
+        warning:
+          "awk-family interpreters can execute commands, access ENVIRON, and write files, so prefer explicit allowlist entries or approval-gated runs instead of safeBins.",
+      },
+      {
+        bin: "sed",
+        warning:
+          "sed scripts can execute commands and write files, so prefer explicit allowlist entries or approval-gated runs instead of safeBins.",
+      },
+    ]);
+  });
+});