akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 7 Packages Projects Releases Wiki Activity

fix: add allowlist normalization and validation in permissions repair process

Browse Source
This commit is contained in:
GitHub Actions
2026-02-18 06:31:13 +00:00
parent a7e081da0b
commit 24509dc84f
9 changed files with 323 additions and 671 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/internal/api/handlers/system_permissions_handler_test.go
+14 -1
View File
@@ -487,6 +487,14 @@ func TestSystemPermissionsHandler_RepairPath_Branches(t *testing.T) {
require.Equal(t, "permissions_outside_allowlist", result.ErrorCode)
})
t.Run("outside allowlist rejected before stat for missing path", func(t *testing.T) {
outsideMissing := filepath.Join(t.TempDir(), "missing.txt")
result := h.repairPath(outsideMissing, false, allowlist)
require.Equal(t, "error", result.Status)
require.Equal(t, "permissions_outside_allowlist", result.ErrorCode)
})
t.Run("unsupported type rejected", func(t *testing.T) {
fifoPath := filepath.Join(allowRoot, "fifo")
require.NoError(t, syscall.Mkfifo(fifoPath, 0o600))
@@ -559,7 +567,7 @@ func TestSystemPermissionsHandler_RepairPath_LstatInvalidArgument(t *testing.T)
result := h.repairPath("/tmp/\x00invalid", false, []string{allowRoot})
require.Equal(t, "error", result.Status)
require.Equal(t, "permissions_repair_failed", result.ErrorCode)
require.Equal(t, "permissions_outside_allowlist", result.ErrorCode)
}
func TestSystemPermissionsHandler_RepairPath_RepairedBranch(t *testing.T) {
@@ -590,3 +598,8 @@ func TestSystemPermissionsHandler_NormalizePath_ParentRefBranches(t *testing.T)
require.Equal(t, "/etc", clean)
require.Empty(t, code)
}
func TestSystemPermissionsHandler_NormalizeAllowlist(t *testing.T) {
allowlist := normalizeAllowlist([]string{"", "/tmp/data/..", "/var/log/charon"})
require.Equal(t, []string{"/tmp", "/var/log/charon"}, allowlist)
}