Skip to content

fix(policy): keep wildcard allowlist entries literal in policy_evaluate (set -f)#52

Open
Pyronewbic wants to merge 1 commit into
mainfrom
fix/policy-allowlist-noglob
Open

fix(policy): keep wildcard allowlist entries literal in policy_evaluate (set -f)#52
Pyronewbic wants to merge 1 commit into
mainfrom
fix/policy-allowlist-noglob

Conversation

@Pyronewbic

Copy link
Copy Markdown
Owner

Closes the bug-hunt major: policy_evaluate glob-corrupted the enforced egress allowlist.

The bug

policy_evaluate iterated the merged allowlist with for h in $merged (and the _PEVAL_EFFECTIVE / ALLOW_IPS loops) without set -f, under the launcher's default glob-on. A documented glob-leading wildcard like *.s3.amazonaws.com was pathname-expanded against the invocation $PWD. Since apply_policy assigns SLUICE_ALLOW_DOMAINS from _PEVAL_EFFECTIVE, this corrupted the enforced allowlist on the run/build/shell path:

  • a legit wildcard silently dropped when nothing in CWD matched, or
  • got replaced by a sandbox-planted matching filename.

The same file already uses set -f for exactly this everywhere else (its own comment says "keep a wildcard like *.s3.amazonaws.com literal").

Fix

Wrap the three split loops in one set -f span. The case-based deny/allow/laundering matchers still glob-MATCH under set -f (it disables pathname expansion only), so policy refusals are unaffected -- the review fuzzed this (a .githubusercontent.com allow still covers a deny gist.githubusercontent.com; the laundering note still fires). Also set -f'd the display-only loops (doctor/ls SLUICE_STATE_DIRS/ENV, cmd_ls --json ports).

Verification

  • verify-policy-unit.bats Test restructure: cost-lane Makefile/CI split, box-harness helper, coverage gaps #22 -- deterministic (two planted *.s3.amazonaws.com files in CWD), proven RED against old bin/sluice (old yields the filenames; fixed yields the literal wildcard).
  • Matchers confirmed unaffected under set -f; doctor shows the literal wildcard + the laundering note.
  • Gate: build-check in sync, lint clean, test-unit 179/179.
  • docs/policy.md notes literal-wildcard / CWD-independence; no THREAT_MODEL change (correctness fix, no stated guarantee altered).

…te (set -f)

policy_evaluate iterated the merged allowlist with `for h in $merged` (and the
_PEVAL_EFFECTIVE / ALLOW_IPS loops) without set -f, so a documented glob-leading wildcard
like *.s3.amazonaws.com was pathname-expanded against the invocation $PWD. apply_policy
assigns SLUICE_ALLOW_DOMAINS from _PEVAL_EFFECTIVE, so this corrupted the ENFORCED egress
allowlist on the run/build/shell path: a legit wildcard silently dropped when nothing
matched, or got replaced by a sandbox-planted matching filename.

Wrap the three split loops in one set -f span (matching the file's own discipline
elsewhere). The case-based deny/allow/laundering matchers still glob-MATCH under set -f
(set -f disables pathname expansion only), so policy refusals are unaffected.

Also set -f the display-only loops (doctor/ls SLUICE_STATE_DIRS/ENV, cmd_ls --json ports).

verify-policy-unit.bats #22 (deterministic, two planted files) guards it, proven RED
against old; docs/policy.md notes the literal-wildcard / CWD-independence.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant