






















@@ -316,60 +316,60 @@ so file operands cannot be smuggled as ambiguous positionals.
316316317317[//]: # "SAFE_BIN_DENIED_FLAGS:START"
318318319-- `grep`: `--dereference-recursive`, `--directories`, `--exclude-from`, `--file`, `--recursive`, `-R`, `-d`, `-f`, `-r`
320-- `jq`: `--argfile`, `--from-file`, `--library-path`, `--rawfile`, `--slurpfile`, `-L`, `-f`
321-- `sort`: `--compress-program`, `--files0-from`, `--output`, `--random-source`, `--temporary-directory`, `-T`, `-o`
322-- `wc`: `--files0-from`
323-324- [//]: # "SAFE_BIN_DENIED_FLAGS:END"
325-326- Safe bins also force argv tokens to be treated as **literal text** at
327- execution time (no globbing and no `$VARS` expansion) for stdin-only
328- segments, so patterns like `*` or `$HOME/...` cannot be used to smuggle
329- file reads.
330-331- </Accordion>
332-333- <Accordion title="Trusted binary directories">
334- Safe bins must resolve from trusted binary directories (system defaults
335- plus optional `tools.exec.safeBinTrustedDirs`). `PATH` entries are never
336- auto-trusted. Default trusted directories are intentionally minimal:
337- `/bin`, `/usr/bin`. If your safe-bin executable lives in
338- package-manager/user paths (for example `/opt/homebrew/bin`,
339- `/usr/local/bin`, `/opt/local/bin`, `/snap/bin`), add them explicitly to
340- `tools.exec.safeBinTrustedDirs`.
341- </Accordion>
342-343- <Accordion title="Shell chaining, wrappers, and multiplexers">
344- Shell chaining (`&&`, `||`, `;`) is allowed when every top-level segment
345- satisfies the allowlist (including safe bins or skill auto-allow).
346- Redirections remain unsupported in allowlist mode. Command substitution
347- (`$()` / backticks) is rejected during allowlist parsing, including inside
348- double quotes; use single quotes if you need literal `$()` text.
349-350- On macOS companion-app approvals, raw shell text containing shell control
351- or expansion syntax (`&&`, `||`, `;`, `|`, `` ` ``, `$`, `<`, `>`, `(`,
352- `)`) is treated as an allowlist miss unless the shell binary itself is
353- allowlisted.
354-355- For shell wrappers (`bash|sh|zsh ... -c/-lc`), request-scoped env
356- overrides are reduced to a small explicit allowlist (`TERM`, `LANG`,
357- `LC_*`, `COLORTERM`, `NO_COLOR`, `FORCE_COLOR`).
358-359- For `allow-always` decisions in allowlist mode, known dispatch wrappers
360- (`env`, `nice`, `nohup`, `stdbuf`, `timeout`) persist the inner executable
361- path instead of the wrapper path. Shell multiplexers (`busybox`, `toybox`)
362- are unwrapped for shell applets (`sh`, `ash`, etc.) the same way. If a
363- wrapper or multiplexer cannot be safely unwrapped, no allowlist entry is
364- persisted automatically.
365-366- If you allowlist interpreters like `python3` or `node`, prefer
367- `tools.exec.strictInlineEval=true` so inline eval still requires an
368- explicit approval. In strict mode, `allow-always` can still persist benign
369- interpreter/script invocations, but inline-eval carriers are not persisted
370- automatically.
371-372- </Accordion>
319+ - `grep`: `--dereference-recursive`, `--directories`, `--exclude-from`, `--file`, `--recursive`, `-R`, `-d`, `-f`, `-r`
320+ - `jq`: `--argfile`, `--from-file`, `--library-path`, `--rawfile`, `--slurpfile`, `-L`, `-f`
321+ - `sort`: `--compress-program`, `--files0-from`, `--output`, `--random-source`, `--temporary-directory`, `-T`, `-o`
322+ - `wc`: `--files0-from`
323+324+[//]: # "SAFE_BIN_DENIED_FLAGS:END"
325+326+Safe bins also force argv tokens to be treated as **literal text** at
327+execution time (no globbing and no `$VARS` expansion) for stdin-only
328+segments, so patterns like `*` or `$HOME/...` cannot be used to smuggle
329+file reads.
330+331+</Accordion>
332+333+<Accordion title="Trusted binary directories">
334+Safe bins must resolve from trusted binary directories (system defaults
335+plus optional `tools.exec.safeBinTrustedDirs`). `PATH` entries are never
336+auto-trusted. Default trusted directories are intentionally minimal:
337+`/bin`, `/usr/bin`. If your safe-bin executable lives in
338+package-manager/user paths (for example `/opt/homebrew/bin`,
339+`/usr/local/bin`, `/opt/local/bin`, `/snap/bin`), add them explicitly to
340+`tools.exec.safeBinTrustedDirs`.
341+</Accordion>
342+343+<Accordion title="Shell chaining, wrappers, and multiplexers">
344+Shell chaining (`&&`, `||`, `;`) is allowed when every top-level segment
345+satisfies the allowlist (including safe bins or skill auto-allow).
346+Redirections remain unsupported in allowlist mode. Command substitution
347+(`$()` / backticks) is rejected during allowlist parsing, including inside
348+double quotes; use single quotes if you need literal `$()` text.
349+350+On macOS companion-app approvals, raw shell text containing shell control
351+or expansion syntax (`&&`, `||`, `;`, `|`, `` ` ``, `$`, `<`, `>`, `(`,
352+`)`) is treated as an allowlist miss unless the shell binary itself is
353+allowlisted.
354+355+For shell wrappers (`bash|sh|zsh ... -c/-lc`), request-scoped env
356+overrides are reduced to a small explicit allowlist (`TERM`, `LANG`,
357+`LC_*`, `COLORTERM`, `NO_COLOR`, `FORCE_COLOR`).
358+359+For `allow-always` decisions in allowlist mode, known dispatch wrappers
360+(`env`, `nice`, `nohup`, `stdbuf`, `timeout`) persist the inner executable
361+path instead of the wrapper path. Shell multiplexers (`busybox`, `toybox`)
362+are unwrapped for shell applets (`sh`, `ash`, etc.) the same way. If a
363+wrapper or multiplexer cannot be safely unwrapped, no allowlist entry is
364+persisted automatically.
365+366+If you allowlist interpreters like `python3` or `node`, prefer
367+`tools.exec.strictInlineEval=true` so inline eval still requires an
368+explicit approval. In strict mode, `allow-always` can still persist benign
369+interpreter/script invocations, but inline-eval carriers are not persisted
370+automatically.
371+372+</Accordion>
373373</AccordionGroup>
374374375375### Safe bins versus allowlist
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。