Skip to content

fix(root_policy): block /private/etc and /var subtree (#406 P0, #407 P1)#415

Merged
justrach merged 3 commits intomainfrom
fix/root-policy-batch
May 5, 2026
Merged

fix(root_policy): block /private/etc and /var subtree (#406 P0, #407 P1)#415
justrach merged 3 commits intomainfrom
fix/root-policy-batch

Conversation

@justrach
Copy link
Copy Markdown
Owner

@justrach justrach commented May 5, 2026

Closes #406 (P0 macOS bypass), #407 (P1 /var gaps). Adds /private/etc, /var, /private/var to the deny list. Tests pass; suite green.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 5, 2026

Benchmark Regression Report

Thresholds: 10.00% and 50,000 ns absolute delta

NOISE means the percentage threshold was exceeded, but the absolute delta was too small to fail CI.

Tool Base (ns) Head (ns) Delta Abs Delta (ns) Status
codedb_bundle 574852 578922 +0.71% +4070 OK
codedb_changes 60508 62507 +3.30% +1999 OK
codedb_deps 9988 10477 +4.90% +489 OK
codedb_edit 6217 5830 -6.22% -387 OK
codedb_find 67159 68412 +1.87% +1253 OK
codedb_hot 106772 109308 +2.38% +2536 OK
codedb_outline 298146 311552 +4.50% +13406 OK
codedb_read 94010 102868 +9.42% +8858 OK
codedb_search 182268 183119 +0.47% +851 OK
codedb_snapshot 297331 303452 +2.06% +6121 OK
codedb_status 96277 96378 +0.10% +101 OK
codedb_symbol 63381 64075 +1.09% +694 OK
codedb_tree 70788 71463 +0.95% +675 OK
codedb_word 75930 80935 +6.59% +5005 OK

justrach and others added 3 commits May 5, 2026 11:28
@justrach @claude
test(issue-406): failing test for root_policy bypass via /private/etc
4179fe5 
On macOS /etc is a symlink to /private/etc; realPathFile resolves
user-supplied paths to their /private/* form before isIndexableRoot
runs. The system_prefixes deny list covers /etc but not /private/etc,
so the canonical form bypasses the policy entirely.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@justrach @claude
test(issue-407): failing test for /var subtree not in root_policy den…
8732e84 
…y list

The system_prefixes deny list covers /var/folders and /var/tmp but not
/var itself or /var/log, /var/lib, /var/db. On Linux these hold logs,
mail, and package state; on macOS realPathFile turns /var into
/private/var which is also unblocked.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@justrach @claude
fix(root_policy): block /private/etc and /var subtree (#406, #407)
0647a73 
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@justrach justrach force-pushed the fix/root-policy-batch branch from 7ac4d1b to 0647a73 Compare May 5, 2026 03:28
@justrach justrach merged commit 41c8a1b into main May 5, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 5, 2026

Benchmark Regression Report

Thresholds: 10.00% and 50,000 ns absolute delta

NOISE means the percentage threshold was exceeded, but the absolute delta was too small to fail CI.

Tool Base (ns) Head (ns) Delta Abs Delta (ns) Status
codedb_bundle 521131 538710 +3.37% +17579 OK
codedb_changes 55723 53910 -3.25% -1813 OK
codedb_deps 8991 12599 +40.13% +3608 NOISE
codedb_edit 7194 8040 +11.76% +846 NOISE
codedb_find 62815 61984 -1.32% -831 OK
codedb_hot 97599 100079 +2.54% +2480 OK
codedb_outline 280863 276708 -1.48% -4155 OK
codedb_read 89879 91650 +1.97% +1771 OK
codedb_search 178511 177410 -0.62% -1101 OK
codedb_snapshot 279079 268908 -3.64% -10171 OK
codedb_status 204297 204774 +0.23% +477 OK
codedb_symbol 65850 69426 +5.43% +3576 OK
codedb_tree 72511 67800 -6.50% -4711 OK
codedb_word 68444 66768 -2.45% -1676 OK

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

root_policy: /etc deny is bypassed by realpath canonicalization to /private/etc on macOS

1 participant

@justrach