Enforce workspace writable roots in mutation tools (#661)

Author: chubes4

inc/Support/PathSecurity.php

@@ -92,13 +92,14 @@ public static function hasTraversal( string $path ): bool {
 	}
 
 	/**
-	 * Check whether a relative path is under any of a set of prefix roots.
+	 * Check whether a relative path is under any of a set of prefix roots or glob patterns.
 	 *
 	 * Used to enforce `allowed_paths` policy when staging for commit —
 	 * a path must sit inside at least one of the configured roots to be
 	 * stageable. Roots are compared as directory prefixes (so root
 	 * `articles` matches `articles/foo.md` but not `articlesX/foo.md`),
-	 * and an exact-match counts.
+	 * exact matches count, and glob roots such as docs-star-star or
+	 * plugins-star-star-README are matched with fnmatch().
 	 *
 	 * Empty `$allowed_paths` returns false — an empty allowlist means
 	 * nothing is allowed, matching the conservative Phase 2 default.
@@ -122,6 +123,9 @@ public static function isPathAllowed( string $path, array $allowed_paths ): bool
 			if ( $normalized === $root || str_starts_with($normalized, $root . '/') ) {
 				return true;
 			}
+			if ( strpbrk($root, '*?[') && fnmatch($root, $normalized) ) {
+				return true;
+			}
 		}
 
 		return false;

inc/Workspace/RemoteWorkspaceBackend.php

@@ -8,6 +8,7 @@
 namespace DataMachineCode\Workspace;
 
 use DataMachineCode\Abilities\GitHubAbilities;
+use DataMachineCode\Support\PathSecurity;
 
 defined('ABSPATH') || exit;
 
@@ -482,6 +483,11 @@ public function write_file( string $handle, string $path, string $content ): arr
 			return $path;
 		}
 
+		$policy_check = $this->ensure_writable_roots_allow_paths((string) $context['repo_name'], array( $path ));
+		if ( is_wp_error($policy_check) ) {
+			return $policy_check;
+		}
+
 		$state = $this->state();
 		$state['worktrees'][ $context['handle'] ]['pending_files'][ $path ] = $content;
 		$state['worktrees'][ $context['handle'] ]['changed_files'][ $path ] = $path;
@@ -497,6 +503,101 @@ public function write_file( string $handle, string $path, string $content ): arr
 		);
 	}
 
+	/**
+	 * Enforce configured writable roots before a remote mutation is staged.
+	 *
+	 * @param  string            $repo_name Repository name.
+	 * @param  array<int,string> $paths     Repo-relative paths.
+	 * @return true|\WP_Error
+	 */
+	private function ensure_writable_roots_allow_paths( string $repo_name, array $paths ): true|\WP_Error {
+		$writable_roots = $this->get_repo_writable_roots($repo_name);
+		if ( empty($writable_roots) ) {
+			return true;
+		}
+
+		$rejected = array();
+		foreach ( $paths as $path ) {
+			$relative = $this->normalize_policy_path($path);
+			if ( '' !== $relative && ! PathSecurity::isPathAllowed($relative, $writable_roots) ) {
+				$rejected[] = $relative;
+			}
+		}
+
+		$rejected = array_values(array_unique($rejected));
+		if ( empty($rejected) ) {
+			return true;
+		}
+
+		return new \WP_Error(
+			'path_not_allowed',
+			sprintf(
+				'Path(s) outside configured writable_roots: %s. Allowed writable_roots: %s.',
+				implode(', ', $rejected),
+				implode(', ', $writable_roots)
+			),
+			array(
+				'status'         => 403,
+				'rejected_paths' => $rejected,
+				'writable_roots' => $writable_roots,
+			)
+		);
+	}
+
+	/**
+	 * @return array<int,string>
+	 */
+	private function get_repo_writable_roots( string $repo_name ): array {
+		$policies = $this->get_workspace_git_policies();
+		$repo     = $policies['repos'][ $repo_name ] ?? array();
+		$paths    = $repo['writable_roots'] ?? $repo['allowed_paths'] ?? array();
+
+		return $this->normalize_policy_paths($paths);
+	}
+
+	/**
+	 * @return array{repos: array<string, array<string, mixed>>}
+	 */
+	private function get_workspace_git_policies(): array {
+		$defaults = array( 'repos' => array() );
+		$settings = function_exists('get_option') ? get_option('datamachine_workspace_git_policies', $defaults) : $defaults;
+		if ( ! is_array($settings) ) {
+			$settings = $defaults;
+		}
+		if ( ! isset($settings['repos']) || ! is_array($settings['repos']) ) {
+			$settings['repos'] = array();
+		}
+		if ( function_exists('apply_filters') ) {
+			$settings = apply_filters('datamachine_workspace_git_policies', $settings);
+		}
+
+		return isset($settings['repos']) && is_array($settings['repos']) ? $settings : $defaults;
+	}
+
+	/**
+	 * @param  mixed $paths Raw policy value.
+	 * @return array<int,string>
+	 */
+	private function normalize_policy_paths( mixed $paths ): array {
+		if ( ! is_array($paths) ) {
+			return array();
+		}
+
+		$clean = array();
+		foreach ( $paths as $path ) {
+			$normalized = $this->normalize_policy_path((string) $path);
+			if ( '' !== $normalized ) {
+				$clean[] = $normalized;
+			}
+		}
+
+		return array_values(array_unique($clean));
+	}
+
+	private function normalize_policy_path( string $path ): string {
+		return rtrim(ltrim(str_replace('\\', '/', trim($path)), '/'), '/');
+	}
+
 	/**
 	 * Stage a find-and-replace edit in the remote workspace.
 	 *
@@ -512,7 +613,17 @@ public function edit_file( string $handle, string $path, string $old_string, str
 			return $context;
 		}
 
-		$current = $this->read_file($handle, $path, PHP_INT_MAX);
+		$normalized_path = $this->normalize_path($path);
+		if ( is_wp_error($normalized_path) ) {
+			return $normalized_path;
+		}
+
+		$policy_check = $this->ensure_writable_roots_allow_paths((string) $context['repo_name'], array( $normalized_path ));
+		if ( is_wp_error($policy_check) ) {
+			return $policy_check;
+		}
+
+		$current = $this->read_file($handle, $normalized_path, PHP_INT_MAX);
 		if ( is_wp_error($current) ) {
 			return $current;
 		}
@@ -542,7 +653,7 @@ public function edit_file( string $handle, string $path, string $old_string, str
 			: substr_replace($content, $new_string, $offset, strlen($old_string));
 		}
 
-		$write = $this->write_file($handle, $path, $new_content);
+		$write = $this->write_file($handle, $normalized_path, $new_content);
 		if ( is_wp_error($write) ) {
 			return $write;
 		}

inc/Workspace/WorkspaceGitOperations.php

@@ -1791,20 +1791,7 @@ private function path_matches_any_glob( string $path, array $patterns ): bool {
 	 * @return bool
 	 */
 	private function is_path_allowed( string $path, array $allowed_paths ): bool {
-		$normalized = ltrim(str_replace('\\', '/', $path), '/');
-
-		foreach ( $allowed_paths as $allowed ) {
-			$root = ltrim(str_replace('\\', '/', (string) $allowed), '/');
-			if ( '' === $root ) {
-				continue;
-			}
-
-			if ( $normalized === $root || str_starts_with($normalized, $root . '/') ) {
-				return true;
-			}
-		}
-
-		return false;
+		return PathSecurity::isPathAllowed($path, $allowed_paths);
 	}
 
 	/**