






















@@ -304,73 +304,65 @@ allowlist entries for their non-stdin workflows. For `grep` in safe-bin mode,
304304provide the pattern with `-e`/`--regexp`; positional pattern form is rejected
305305so file operands cannot be smuggled as ambiguous positionals.
306306307-<AccordionGroup>
308-<Accordion title="Argv validation and denied flags">
309-Validation is deterministic from argv shape only (no host filesystem
310-existence checks), which prevents file-existence oracle behavior from
311-allow/deny differences. File-oriented options are denied for default safe
312-bins; long options are validated fail-closed (unknown flags and ambiguous
313-abbreviations are rejected).
307+### Argv validation and denied flags
314308315-Denied flags by safe-bin profile:
309+Validation is deterministic from argv shape only (no host filesystem existence
310+checks), which prevents file-existence oracle behavior from allow/deny
311+differences. File-oriented options are denied for default safe bins; long
312+options are validated fail-closed (unknown flags and ambiguous abbreviations are
313+rejected).
316314317-[//]: # "SAFE_BIN_DENIED_FLAGS:START"
315+Denied flags by safe-bin profile:
316+317+[//]: # "SAFE_BIN_DENIED_FLAGS:START"
318318319319- `grep`: `--dereference-recursive`, `--directories`, `--exclude-from`, `--file`, `--recursive`, `-R`, `-d`, `-f`, `-r`
320320- `jq`: `--argfile`, `--from-file`, `--library-path`, `--rawfile`, `--slurpfile`, `-L`, `-f`
321321- `sort`: `--compress-program`, `--files0-from`, `--output`, `--random-source`, `--temporary-directory`, `-T`, `-o`
322322- `wc`: `--files0-from`
323323324-[//]: # "SAFE_BIN_DENIED_FLAGS:END"
325-326- Safe bins also force argv tokens to be treated as **literal text** at
327- execution time (no globbing and no `$VARS` expansion) for stdin-only
328- segments, so patterns like `*` or `$HOME/...` cannot be used to smuggle
329- file reads.
330-331-</Accordion>
332-333-<Accordion title="Trusted binary directories">
334-Safe bins must resolve from trusted binary directories (system defaults
335-plus optional `tools.exec.safeBinTrustedDirs`). `PATH` entries are never
336-auto-trusted. Default trusted directories are intentionally minimal:
337-`/bin`, `/usr/bin`. If your safe-bin executable lives in
338-package-manager/user paths (for example `/opt/homebrew/bin`,
339-`/usr/local/bin`, `/opt/local/bin`, `/snap/bin`), add them explicitly to
340-`tools.exec.safeBinTrustedDirs`.
341-</Accordion>
342-343-<Accordion title="Shell chaining, wrappers, and multiplexers">
344-Shell chaining (`&&`, `||`, `;`) is allowed when every top-level segment
345-satisfies the allowlist (including safe bins or skill auto-allow).
346-Redirections remain unsupported in allowlist mode. Command substitution
347-(`$()` / backticks) is rejected during allowlist parsing, including inside
348-double quotes; use single quotes if you need literal `$()` text.
349-350-On macOS companion-app approvals, raw shell text containing shell control
351-or expansion syntax (`&&`, `||`, `;`, `|`, `` ` ``, `$`, `<`, `>`, `(`,
352-`)`) is treated as an allowlist miss unless the shell binary itself is
353-allowlisted.
354-355-For shell wrappers (`bash|sh|zsh ... -c/-lc`), request-scoped env
356-overrides are reduced to a small explicit allowlist (`TERM`, `LANG`,
357-`LC_*`, `COLORTERM`, `NO_COLOR`, `FORCE_COLOR`).
358-359-For `allow-always` decisions in allowlist mode, known dispatch wrappers
360-(`env`, `nice`, `nohup`, `stdbuf`, `timeout`) persist the inner executable
361-path instead of the wrapper path. Shell multiplexers (`busybox`, `toybox`)
362-are unwrapped for shell applets (`sh`, `ash`, etc.) the same way. If a
363-wrapper or multiplexer cannot be safely unwrapped, no allowlist entry is
364-persisted automatically.
365-366-If you allowlist interpreters like `python3` or `node`, prefer
367-`tools.exec.strictInlineEval=true` so inline eval still requires an
368-explicit approval. In strict mode, `allow-always` can still persist benign
369-interpreter/script invocations, but inline-eval carriers are not persisted
370-automatically.
371-372-</Accordion>
373-</AccordionGroup>
324+[//]: # "SAFE_BIN_DENIED_FLAGS:END"
325+326+Safe bins also force argv tokens to be treated as **literal text** at execution
327+time (no globbing and no `$VARS` expansion) for stdin-only segments, so patterns
328+like `*` or `$HOME/...` cannot be used to smuggle file reads.
329+330+### Trusted binary directories
331+332+Safe bins must resolve from trusted binary directories (system defaults plus
333+optional `tools.exec.safeBinTrustedDirs`). `PATH` entries are never auto-trusted.
334+Default trusted directories are intentionally minimal: `/bin`, `/usr/bin`. If
335+your safe-bin executable lives in package-manager/user paths (for example
336+`/opt/homebrew/bin`, `/usr/local/bin`, `/opt/local/bin`, `/snap/bin`), add them
337+explicitly to `tools.exec.safeBinTrustedDirs`.
338+339+### Shell chaining, wrappers, and multiplexers
340+341+Shell chaining (`&&`, `||`, `;`) is allowed when every top-level segment
342+satisfies the allowlist (including safe bins or skill auto-allow). Redirections
343+remain unsupported in allowlist mode. Command substitution (`$()` / backticks) is
344+rejected during allowlist parsing, including inside double quotes; use single
345+quotes if you need literal `$()` text.
346+347+On macOS companion-app approvals, raw shell text containing shell control or
348+expansion syntax (`&&`, `||`, `;`, `|`, `` ` ``, `$`, `<`, `>`, `(`, `)`) is
349+treated as an allowlist miss unless the shell binary itself is allowlisted.
350+351+For shell wrappers (`bash|sh|zsh ... -c/-lc`), request-scoped env overrides are
352+reduced to a small explicit allowlist (`TERM`, `LANG`, `LC_*`, `COLORTERM`,
353+`NO_COLOR`, `FORCE_COLOR`).
354+355+For `allow-always` decisions in allowlist mode, known dispatch wrappers (`env`,
356+`nice`, `nohup`, `stdbuf`, `timeout`) persist the inner executable path instead
357+of the wrapper path. Shell multiplexers (`busybox`, `toybox`) are unwrapped for
358+shell applets (`sh`, `ash`, etc.) the same way. If a wrapper or multiplexer
359+cannot be safely unwrapped, no allowlist entry is persisted automatically.
360+361+If you allowlist interpreters like `python3` or `node`, prefer
362+`tools.exec.strictInlineEval=true` so inline eval still requires an explicit
363+approval. In strict mode, `allow-always` can still persist benign
364+interpreter/script invocations, but inline-eval carriers are not persisted
365+automatically.
374366375367### Safe bins versus allowlist
376368此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。