Skip to content

Infra: tighten exec allowlist glob matching#43798

Merged
vincentkoc merged 3 commits intomainfrom
vincentkoc-code/ghsa-f8r2-exec-allowlist-glob
Mar 12, 2026
Merged

Infra: tighten exec allowlist glob matching#43798
vincentkoc merged 3 commits intomainfrom
vincentkoc-code/ghsa-f8r2-exec-allowlist-glob

Conversation

@vincentkoc
Copy link
Member

@vincentkoc vincentkoc commented Mar 12, 2026

Summary

  • Problem: matchesExecAllowlistPattern() lowercased POSIX targets and let ? match /, so exact-looking allowlist entries could overmatch.
  • Why it matters: that weakens the exec approval boundary for security=allowlist and makes path patterns broader than reviewers expect.
  • What changed: preserve case-sensitive matching on POSIX, keep Windows case-folding, and compile ? to a single non-separator character.
  • What did NOT change (scope boundary): this does not expand the allowlist surface or change Windows realpath handling for exact patterns.

Change Type (select all)

  • Bug fix
  • Feature
  • Refactor
  • Docs
  • Security hardening
  • Chore/infra

Scope (select all touched areas)

  • Gateway / orchestration
  • Skills / tool execution
  • Auth / tokens
  • Memory / storage
  • Integrations
  • API / contracts
  • UI / DX
  • CI/CD / infra

Linked Issue/PR

User-visible / Behavior Changes

Users on POSIX now get case-sensitive exec allowlist matching, and ? no longer crosses directory separators.

Security Impact (required)

  • New permissions/capabilities? No
  • Secrets/tokens handling changed? No
  • New/changed network calls? No
  • Command/tool execution surface changed? Yes
  • Data access scope changed? No
  • If any Yes, explain risk + mitigation: exec allowlist matching is stricter, with regression coverage for the two overmatch cases.

Repro + Verification

Environment

  • OS: macOS
  • Runtime/container: Node 22 + pnpm
  • Model/provider: N/A
  • Integration/channel (if any): N/A
  • Relevant config (redacted): exec allowlist patterns

Steps

  1. Match /tmp/Allowed-Tool against /tmp/allowed-tool on POSIX.
  2. Match /tmp/a?b against /tmp/a/b.
  3. Run the new regression tests.

Expected

  • POSIX matching stays case-sensitive, and ? only matches within a single path segment.

Actual

  • Before this patch both cases returned true; after the patch both return false.

Evidence

  • Failing test/log before + passing after
  • Trace/log snippets
  • Screenshot/recording
  • Perf numbers (if relevant)

Human Verification (required)

  • Verified scenarios: reproduced both overmatches with a direct tsx probe, then reran pnpm test -- src/infra/exec-allowlist-pattern.test.ts after the fix.
  • Edge cases checked: positive ? matching within a segment still works.
  • What you did not verify: Windows runtime behavior on a live Windows host.

Review Conversations

  • I replied to or resolved every bot review conversation I addressed in this PR.
  • I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

  • Backward compatible? Yes
  • Config/env changes? No
  • Migration needed? No
  • If yes, exact upgrade steps:

Failure Recovery (if this breaks)

  • How to disable/revert this change quickly: revert this PR.
  • Files/config to restore: src/infra/exec-allowlist-pattern.ts
  • Known bad symptoms reviewers should watch for: previously tolerated mixed-case POSIX allowlist matches will stop matching.

Risks and Mitigations

  • Risk: a workflow may have relied on permissive POSIX case folding or slash-crossing ? matches.
  • Mitigation: behavior now matches standard path-glob expectations and is covered by focused regression tests.

@vincentkoc vincentkoc self-assigned this Mar 12, 2026
@openclaw-barnacle openclaw-barnacle bot added size: XS maintainer Maintainer-authored PR labels Mar 12, 2026
@vincentkoc vincentkoc marked this pull request as ready for review March 12, 2026 07:33
@vincentkoc vincentkoc merged commit 82e3ac2 into main Mar 12, 2026
11 checks passed
@vincentkoc vincentkoc deleted the vincentkoc-code/ghsa-f8r2-exec-allowlist-glob branch March 12, 2026 07:33
@greptile-apps
Copy link
Contributor

greptile-apps bot commented Mar 12, 2026

Greptile Summary

This PR tightens the exec allowlist glob matching in src/infra/exec-allowlist-pattern.ts with two focused security hardening fixes: POSIX case sensitivity is now preserved (by removing .toLowerCase() from the non-Windows normalization path) and ? is no longer allowed to cross path-separator boundaries (compiling to [^/] instead of .). The regex flag is now platform-gated, applying "i" only on Windows. These changes make the allowlist matching stricter, which is the correct direction for a security boundary.

Key observations:

  • Both fixes are logically correct and minimal in scope.
  • The new exec-allowlist-pattern.test.ts file provides focused regression coverage for the two overmatches described in the PR.
  • The globRegexCache is keyed only on the normalized pattern string; this is safe at runtime since process.platform is constant, but it's an implicit assumption worth documenting.
  • No test covers Windows case-insensitive behavior in this test file (acknowledged by the author); a ** cross-segment smoke test would also improve confidence that adjacent logic was not disturbed.
  • The normalizeMatchTarget function is applied to both the pattern and the target before matching — pre-existing behavior, unaffected by this PR but slightly confusing given the function name.

Confidence Score: 5/5

  • This PR is safe to merge; it strictly tightens security behavior with no new surface area.
  • The changes are minimal (3 one-line edits), directly fix two documented over-match vulnerabilities (case folding and ? crossing separators), add regression tests for both cases, and have no effect on unrelated code paths. The only concerns raised are style-level (cache documentation, missing edge-case tests) rather than correctness issues.
  • No files require special attention beyond the optional improvements noted in the review comments.
Prompt To Fix All With AI 
This is a comment left during a code review.
Path: src/infra/exec-allowlist-pattern.ts
Line: 58

Comment:
**Regex cache not keyed on platform**

The `globRegexCache` stores compiled regexes keyed only on the *normalized pattern string*. The regex flags (case-insensitive `"i"` vs. empty string) are baked in at compile time and depend on `process.platform`. This is fine for production (the platform is a process-level constant), but it means tests that mock `process.platform` mid-run and then call `compileGlobRegex` with a previously-cached pattern key would silently receive the wrong flags from the stale cache entry.

Consider keying the cache on both the pattern and the platform, or annotating this with a comment making the assumption explicit:

```suggestion
  const compiled = new RegExp(regex, process.platform === "win32" ? "i" : "");
  // NOTE: cache key is the normalized pattern string; this is safe because
  // process.platform is constant for the lifetime of the process.
```

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: src/infra/exec-allowlist-pattern.test.ts
Line: 5-14

Comment:
**Missing coverage for `**` glob and Windows case-insensitivity**

The new tests cover the two regressed scenarios well. A couple of additional cases would give higher confidence that the surrounding logic wasn't accidentally perturbed:

1. **`**` still crosses separators** — the `?` change touched adjacent `*`/`**` logic; a test like `matchesExecAllowlistPattern("/tmp/**/tool", "/tmp/a/b/tool")` should still return `true`.
2. **Windows case-insensitivity** — there is no `it.runIf(process.platform === "win32")` assertion verifying that the `"i"` flag path is exercised. Even a comment noting it is acceptable given the PR's stated scope, but the gap is worth tracking.

How can I resolve this? If you propose a fix, please make it concise.

Last reviewed commit: f5c1aaa

greptile-apps[bot]
greptile-apps bot reviewed Mar 12, 2026
View reviewed changes
@github-actions github-actions bot mentioned this pull request Mar 12, 2026
Open
GGzili pushed a commit to GGzili/moltbot that referenced this pull request Mar 12, 2026
@vincentkoc
Infra: tighten exec allowlist glob matching (openclaw#43798)
0d3165b 
* Infra: tighten exec allowlist glob matching

* Changelog: note GHSA-f8r2 exec allowlist fix
steipete pushed a commit to BruceMacD/openclaw that referenced this pull request Mar 13, 2026
@vincentkoc @steipete
Infra: tighten exec allowlist glob matching (openclaw#43798)
457868f 
* Infra: tighten exec allowlist glob matching

* Changelog: note GHSA-f8r2 exec allowlist fix
@jasonftl jasonftl mentioned this pull request Mar 14, 2026
Open
Interstellar-code pushed a commit to Interstellar-code/operator1 that referenced this pull request Mar 16, 2026
@vincentkoc
Infra: tighten exec allowlist glob matching (openclaw#43798)
dad4403 
* Infra: tighten exec allowlist glob matching

* Changelog: note GHSA-f8r2 exec allowlist fix

(cherry picked from commit 82e3ac2)
Interstellar-code pushed a commit to Interstellar-code/operator1 that referenced this pull request Mar 16, 2026
@vincentkoc
Infra: tighten exec allowlist glob matching (openclaw#43798)
1195b96 
* Infra: tighten exec allowlist glob matching

* Changelog: note GHSA-f8r2 exec allowlist fix

(cherry picked from commit 82e3ac2)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@vincentkoc vincentkoc

Labels

maintainer Maintainer-authored PR size: XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vincentkoc