Status: Active
Primary bead: bd-k5q5.4.6
Last updated: 2026-02-08
This document models realistic abuse paths against the extension runtime and maps each threat to code-level controls and executable tests.
In-scope components:
PiJsRuntimehost bridge (src/extensions_js.rs)- hostcall capability policy (
src/extensions.rs,src/config.rs,src/extension_dispatcher.rs) - JS compatibility shims (
node:fs,node:child_process,node:http, etc.) - extension event dispatch and registration surfaces
Out-of-scope components:
- external provider account compromise
- host OS/kernel exploits outside process boundaries
- social engineering outside runtime policy/UI controls
Critical assets:
- project workspace file integrity
- secret material in environment/session state
- command execution boundary (
exec,child_process) - extension event stream and tool invocation integrity
- reproducible conformance and audit evidence artifacts
Boundaries:
- Extension JS code (untrusted) -> hostcalls (trusted host boundary)
- Virtual FS (
__pi_vfs) -> host filesystem fallback - Capability policy decision engine -> execution dispatch
- User prompt/UI decision channel -> runtime allow/deny effects
The highest-risk boundary is (2), because path access mistakes can expose host files.
Attacker classes:
- malicious extension author
- compromised third-party extension package
- benign extension with buggy path/process logic abused by crafted inputs
Attacker goals:
- read sensitive files outside workspace
- escalate to arbitrary command execution
- bypass deny/prompt policy gates
- exfiltrate secrets via permissive hostcalls
- Vector:
node:fsread path such as/etc/hostnameor traversal-normalized absolute path. - Impact: sensitive host data disclosure.
- Control:
- host read fallback now constrained to runtime cwd root in
src/extensions_js.rs. - canonical-path boundary check blocks outside-root reads.
- host read fallback now constrained to runtime cwd root in
- Evidence:
tests/security_fs_escape.rs::host_read_fallback_denies_outside_workspacetests/security_fs_escape.rs::read_file_traversal_with_dot_dottests/extensions_fs_shim.rs::fs_stat_host_fallback
- Vector:
..segments, symlink indirection, or crafted path normalization. - Impact: read/write outside workspace or policy bypass.
- Control:
- path normalization and rooted checks in VFS + tool path resolution.
- deny on resolved outside-root host fallback path.
- Evidence:
tests/security_fs_escape.rsnormalization/write confinement suitetests/extensions.rs::fs_connector_denies_path_traversal_outside_cwdtests/extensions.rs::fs_connector_denies_symlink_escape
- Vector: forging
capabilitydifferent from method semantics. - Impact: invoking privileged behavior through lower-privilege labels.
- Control:
required_capability_for_host_call(...)authoritative mapping.- dispatcher rejection for invalid/mismatched capability requests.
- Evidence:
tests/extensions_policy_negative.rscapability mapping tests- parity/adapter tests under
src/extensions.rsunit suite
- Vector: ambiguous defaults or unknown profile names.
- Impact: accidental
exec/envexposure. - Control:
- default profile changed to
permissive; strict mode remains an explicit opt-in. - unknown profile tokens fail closed to
safe. - explicit opt-in path for dangerous caps (
allowDangerous, profile overrides).
- default profile changed to
- Evidence:
tests/capability_policy_scoped.rsconfig resolution teststests/e2e_cli.rsexplain/migration guardrail tests
- Vector: repeated prompt-required decisions causing operator mistakes.
- Impact: over-broad persistent grants.
- Control:
- policy decision logs include reason/remediation metadata.
- deny fallback when prompt manager/UI channel is unavailable.
- Evidence:
tests/extensions_policy_negative.rstests/extensions.rsprompt/denial path tests
| Abuse case | Expected result | Test evidence |
|---|---|---|
Read /etc/hostname from extension |
denied (outside extension root) |
tests/security_fs_escape.rs::host_read_fallback_denies_outside_workspace |
| Read workspace file via host fallback | allowed | tests/security_fs_escape.rs::host_read_fallback_allows_workspace_file |
Traversal read /fake/../etc/hostname |
denied | tests/security_fs_escape.rs::read_file_traversal_with_dot_dot |
| Stat/exists outside root via host fallback | denied/false | tests/extensions_fs_shim.rs::fs_stat_host_fallback |
exec denied under safe defaults |
deny | tests/extensions_policy_negative.rs::exec_tool_denied_by_default_policy |
| Default config resolves to permissive mode | allow-most | tests/capability_policy_scoped.rs::default_config_resolves_to_permissive |
| Gap | Risk | Owner | Tracking |
|---|---|---|---|
Dangerous-capability operator rollout guidance published in README.md + EXTENSIONS.md |
Mitigated | Capability policy UX owner | bd-k5q5.4.7 (completed) |
| End-to-end abuse corpus across all extension categories | High | Conformance campaign owner | bd-k5q5.2 / bd-k5q5.2.4 |
| Full traceability mapping from every security test to requirements | Medium | Verification governance owner | bd-k5q5.7.12 |
Run targeted abuse/security checks:
cargo test --test security_fs_escape -- --nocapture
cargo test --test extensions_fs_shim fs_stat_host_fallback -- --nocapture
cargo test --test extensions_policy_negative -- --nocapture
cargo test --test capability_policy_scoped -- --nocaptureRun quality gates:
cargo check --all-targets
cargo clippy --all-targets -- -D warnings
cargo fmt --check