fix(security): harden exec wrapper allowlist execution parity

2026-05-02 17:30:21 +00:00 · 2026-02-24 01:51:33 +00:00
parent 5eb72ab769
commit a1c4bf07c6
12 changed files with 289 additions and 65 deletions
--- a/src/node-host/invoke-system-run.ts
+++ b/src/node-host/invoke-system-run.ts
@@ -198,10 +198,40 @@ export async function handleSystemRunInvoke(opts: {
    return;
  }

+  let plannedAllowlistArgv: string[] | undefined;
+  if (
+    security === "allowlist" &&
+    !policy.approvedByAsk &&
+    !shellCommand &&
+    policy.analysisOk &&
+    policy.allowlistSatisfied &&
+    segments.length === 1
+  ) {
+    plannedAllowlistArgv = segments[0]?.resolution?.effectiveArgv;
+    if (!plannedAllowlistArgv || plannedAllowlistArgv.length === 0) {
+      await opts.sendNodeEvent(
+        opts.client,
+        "exec.denied",
+        opts.buildExecEventPayload({
+          sessionKey,
+          runId,
+          host: "node",
+          command: cmdText,
+          reason: "execution-plan-miss",
+        }),
+      );
+      await opts.sendInvokeResult({
+        ok: false,
+        error: { code: "UNAVAILABLE", message: "SYSTEM_RUN_DENIED: execution plan mismatch" },
+      });
+      return;
+    }
+  }
+
  const useMacAppExec = opts.preferMacAppExecHost;
  if (useMacAppExec) {
    const execRequest: ExecHostRequest = {
-      command: argv,
+      command: plannedAllowlistArgv ?? argv,
      rawCommand: rawCommand || shellCommand || null,
      cwd: opts.params.cwd ?? null,
      env: envOverrides ?? null,
@@ -315,7 +345,7 @@ export async function handleSystemRunInvoke(opts: {
    return;
  }

-  let execArgv = argv;
+  let execArgv = plannedAllowlistArgv ?? argv;
  if (
    security === "allowlist" &&
    isWindows &&