fix(security): harden safeBins stdin-only enforcement

2026-03-07 22:44:16 +00:00 · 2026-02-19 14:07:43 +01:00
parent 3c127b6eac
commit cfe8457a0f
6 changed files with 200 additions and 7 deletions
--- a/docs/tools/exec-approvals.md
+++ b/docs/tools/exec-approvals.md
@@ -124,6 +124,8 @@ are treated as allowlisted on nodes (macOS node or headless node host). This use
 `tools.exec.safeBins` defines a small list of **stdin-only** binaries (for example `jq`)
 that can run in allowlist mode **without** explicit allowlist entries. Safe bins reject
 positional file args and path-like tokens, so they can only operate on the incoming stream.
+Safe bins also enforce explicit per-binary flag policy for options that break stdin-only
+behavior (for example `sort -o/--output` and grep recursive flags).
 Safe bins also force argv tokens to be treated as **literal text** at execution time (no globbing
 and no `$VARS` expansion) for stdin-only segments, so patterns like `*` or `$HOME/...` cannot be
 used to smuggle file reads.
@@ -136,7 +138,10 @@ Shell chaining (`&&`, `||`, `;`) is allowed when every top-level segment satisfi
 Command substitution (`$()` / backticks) is rejected during allowlist parsing, including inside
 double quotes; use single quotes if you need literal `$()` text.

-Default safe bins: `jq`, `grep`, `cut`, `sort`, `uniq`, `head`, `tail`, `tr`, `wc`.
+Default safe bins: `jq`, `cut`, `uniq`, `head`, `tail`, `tr`, `wc`.
+
+`grep` and `sort` are not in the default list. If you opt in, keep explicit allowlist entries for
+their non-stdin workflows.

 ## Control UI editing