fix(builtins): match sensitive-data keywords on filename, not full path#110
Open
punk-dev-robot wants to merge 1 commit into
Open
fix(builtins): match sensitive-data keywords on filename, not full path#110punk-dev-robot wants to merge 1 commit into
punk-dev-robot wants to merge 1 commit into
Conversation
is_sensitive_file matched its keyword set ("private", "auth", "secret",
"token", ...) with contains() against the entire canonical path. On macOS
the kernel canonicalizes /tmp and /var under /private, so the "private"
keyword flagged EVERY file beneath /tmp and /var as sensitive and denied
reads of plainly benign files. Any path with a "private"/"auth" component
(e.g. /Users/<author>, oauth dirs) hit the same footgun.
Scope the keyword match to the file basename, which is the documented
intent ("Files with sensitive keywords"). Directory-scoped secrets remain
covered by the dedicated ssh/cloud/package/vcs clauses that match on full
path prefixes. Cursor ships a different ruleset (is_sensitive_path) without
this clause and is unaffected.
Verified with opa 1.7.1:
/private/tmp/x/greet.txt -> allowed (was denied)
/Users/x/private/report.txt -> allowed (was denied)
secret.txt, .env, id_rsa,
my-passwords.kdbx -> still denied
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The
sensitive_data_protectionglobal builtin matched its keyword set(
"private","auth","secret","token", …) withcontains()against theentire canonical path:
On macOS the kernel canonicalizes
/tmp→/private/tmpand/var→/private/var. Rust preprocessing passes the canonical path asresolved_file_path, so every file read under/tmpor/varcontains thesubstring
privateand is denied:Any path with a
private/authcomponent hits the same footgun(
/Users/<author>/…,oauth/…, etc.). The[SENSITIVE-FILE: *.txt]label isjust the masking helper printing the extension; the real trigger is the keyword
clause.
Fix
Scope the keyword match to the file basename — the documented intent of this
clause ("Files with sensitive keywords"). Directory-scoped secrets remain covered
by the dedicated ssh / cloud / package / vcs clauses, which match on full path
prefixes and are unchanged.
Applied to the
claude,factory, andopencodefixtures.cursorships adifferent ruleset (
is_sensitive_path) without this clause and is unaffected.Verification (opa 1.7.1)
/private/tmp/x/greet.txt/Users/x/private/report.txtsecret.txt.env~/.ssh/id_rsamy-passwords.kdbxNotes / follow-ups
"auth"remains a broad keyword even at basename scope (matchesoauth*); leftas-is to keep this change minimal — worth a separate look.
shipped fixtures, so this logic isn't covered by
cargo test. Adding fixture-levelcoverage is a reasonable follow-up.