Skip to content

af validate: warn on run allowlist entries that defeat the permission model #48

Description

@RatulMaharaj

The run_bash static analysis checks the executable at the head of each pipe/chain segment and can't see into arguments. This means certain permissions.run grants quietly weaken or collapse the model:

  • Shells and interpreters (bash, sh, python, node, deno): granting one lets bash -c '<anything>' / python -c '...' through with the inner command carried as an opaque string. The allowlist stops meaning anything.
  • Wrappers and exec flags (env, xargs, nice, timeout, find with -exec): same effect through argument execution.
  • Network-capable binaries (curl, wget, ssh, and even gh): until per-agent egress policy lands, these are an implicit net: ["*"], since subprocess traffic bypasses permissions.net.

af validate (and startup) should surface this:

  • warn, or possibly refuse, on shells/interpreters/wrappers in permissions.run
  • warn on known network-capable binaries, noting that their egress is unrestricted at the app layer

Context: gap 5 and the open questions in plans/006-security.md; user-facing notes in docs/permissions.md ("Static analysis of shell commands") and docs/permission-model.md ("Where the boundaries stop today").

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions