e8c8ef1142
Close two ways the permission system could be bypassed: - Workspace path traversal: normalize `.`/`..` lexically before the boundary prefix comparison so paths like `/workspace/../../etc` can no longer escape the sandbox. Fixed in both the runtime enforcer and the duplicate check in the tools PowerShell path classifier. - read-only mode no longer trusts the leading token alone: reject shell metacharacters (chaining/substitution/redirect/pipe/subshell), drop interpreters and build drivers (python/node/ruby/cargo/rustc) from the allow-list, gate `git` to non-mutating subcommands, and reject `find` actions that execute or delete. Adds regression tests for both holes. The pre-existing, unrelated worker_boot git-metadata test failure is not affected by this change. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| src | ||
| tests | ||
| .gitignore | ||
| Cargo.toml | ||
| GIT_TOOLS_README.md | ||