fix(approval): extend sensitive write target to cover shell RC and credential files#19282
Merged
Conversation
…edential files
Terminal commands can write to shell RC files (~/.bashrc, ~/.zshrc,
~/.profile) and credential files (~/.netrc, ~/.pgpass, ~/.npmrc,
~/.pypirc) via redirection or tee without triggering approval, even
though write_file already blocks these paths in file_safety.py.
This creates an inconsistency: write_file protects these paths but
terminal shell redirections bypass the same protection. An agent
prompted via indirect injection could install persistent backdoors
(e.g. PATH manipulation, alias overrides) or write credential entries
without user approval.
Extend _SENSITIVE_WRITE_TARGET with two new regex groups matching the
same paths that file_safety.py's WRITE_DENIED_PATHS already covers:
_SHELL_RC_FILES — ~/.bashrc, ~/.zshrc, ~/.profile, ~/.bash_profile,
~/.zprofile
_CREDENTIAL_FILES — ~/.netrc, ~/.pgpass, ~/.npmrc, ~/.pypirc
All 130 existing tests pass.
alt-glitch
added
type/security
1 task
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Salvage of #19240 by @JasonOA888 onto current main. Closes the terminal-vs-write_file inconsistency where
echo >> ~/.bashrc,tee -a ~/.netrc, etc. bypassed the approval gate even thoughwrite_fileblocks those exact paths viafile_safety.py.Changes
tools/approval.py: add_SHELL_RC_FILESand_CREDENTIAL_FILESalternatives to_SENSITIVE_WRITE_TARGET(+11/-1)Validation
~/.bashrc,~/.zshrc,~/.profile,~/.bash_profile,~/.netrc,~/.pgpass,~/.npmrc,~/.pypirc) now trigger approval; 3 normal writes (/tmp/,~/regular.txt,~/notes/) still pass through.Closes #19240. Authorship preserved via cherry-pick.