fix: require word boundary for Bash(cmd *) permission wildcard#156
Open
failsafesecurity wants to merge 1 commit into
Open
fix: require word boundary for Bash(cmd *) permission wildcard#156failsafesecurity wants to merge 1 commit into
failsafesecurity wants to merge 1 commit into
Conversation
matches_permission_pattern matched the Bash(cmd *) wildcard with actual_cmd.startswith(prefix), so Bash(git *) also authorized unrelated commands sharing the prefix (e.g. gitleaks), and Bash(ls *) authorized lsof. Require an exact match or a trailing space after the prefix so the wildcard only matches the intended command family. Signed-off-by: FailSafe Researcher <joshua@getfailsafe.com>
Author
|
Hi maintainers 👋 — friendly follow-up on this security hardening PR. It has been open for a while with no reviewer feedback yet. Happy to address any concerns or adjust the approach. Thanks! |
Author
|
Thanks for reviewing this security fix. Just a friendly ping — this PR has been open for a while. Happy to adjust the approach if you have any concerns. No rush, just want to make sure it stays on your radar. |
sanmaxdev
reviewed
Jul 4, 2026
sanmaxdev
left a comment
There was a problem hiding this comment.
The behavior change is right, but this should add a regression test next to test_bash_command_prefix_wildcard. That would lock the allow case for git status and the reject case for gitleaks detect.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
matches_permission_pattern()matches theBash(cmd *)wildcard withactual_cmd.startswith(prefix)and no word boundary, so a permission scoped to one command family also authorizes unrelated commands sharing the prefix:This widens the auto-approved command set beyond operator intent (CWE-863). Severity is constrained by needing such a wildcard in config plus a useful prefix-sharing binary, so this is a hardening fix.
Fix
Require an exact match or a trailing space after the prefix:
Test Plan
pytest tests/unit/test_tool_approval.py, Python >=3.10)Bash(git *)matchesgitandgit status, but NOTgitleaks --dumpBash(ls *)does NOT matchlsof -iSecurity Note
Low/hardening, CWE-863 (Incorrect Authorization). Reported by FailSafe Researcher (authorized security review).