Skip to content

fix: require word boundary for Bash(cmd *) permission wildcard#156

Open
failsafesecurity wants to merge 1 commit into
openonion:mainfrom
failsafesecurity:fix/find-002-bash-prefix-boundary
Open

fix: require word boundary for Bash(cmd *) permission wildcard#156
failsafesecurity wants to merge 1 commit into
openonion:mainfrom
failsafesecurity:fix/find-002-bash-prefix-boundary

Conversation

@failsafesecurity

Copy link
Copy Markdown

Problem

matches_permission_pattern() matches the Bash(cmd *) wildcard with actual_cmd.startswith(prefix) and no word boundary, so a permission scoped to one command family also authorizes unrelated commands sharing the prefix:

Bash(git *) -> matches 'gitleaks --dump-secrets'   (should not)
Bash(ls *)  -> matches 'lsof -i'                     (should not)
Bash(cat *) -> matches 'catnip /etc/passwd'          (should not)

This widens the auto-approved command set beyond operator intent (CWE-863). Severity is constrained by needing such a wildcard in config plus a useful prefix-sharing binary, so this is a hardening fix.

Fix

Require an exact match or a trailing space after the prefix:

if actual_cmd == prefix or actual_cmd.startswith(prefix + ' '):
    return True

Test Plan

  • Existing test suite passes (pytest tests/unit/test_tool_approval.py, Python >=3.10)
  • Bash(git *) matches git and git status, but NOT gitleaks --dump
  • Bash(ls *) does NOT match lsof -i

Security Note

Low/hardening, CWE-863 (Incorrect Authorization). Reported by FailSafe Researcher (authorized security review).

matches_permission_pattern matched the Bash(cmd *) wildcard with
actual_cmd.startswith(prefix), so Bash(git *) also authorized unrelated
commands sharing the prefix (e.g. gitleaks), and Bash(ls *) authorized
lsof. Require an exact match or a trailing space after the prefix so the
wildcard only matches the intended command family.

Signed-off-by: FailSafe Researcher <joshua@getfailsafe.com>
@failsafesecurity

Copy link
Copy Markdown
Author

Hi maintainers 👋 — friendly follow-up on this security hardening PR. It has been open for a while with no reviewer feedback yet. Happy to address any concerns or adjust the approach. Thanks!

@failsafesecurity

Copy link
Copy Markdown
Author

Thanks for reviewing this security fix. Just a friendly ping — this PR has been open for a while. Happy to adjust the approach if you have any concerns. No rush, just want to make sure it stays on your radar.

@sanmaxdev sanmaxdev left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The behavior change is right, but this should add a regression test next to test_bash_command_prefix_wildcard. That would lock the allow case for git status and the reject case for gitleaks detect.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants