fix(security): recognize localized Windows SYSTEM account in ACL audit

[ningding97]

Fixes #29681

Problem

On non-English Windows (e.g. French fr-FR locale), the security audit reports a false positive for fs.config.perms_writable because the SYSTEM account is named AUTORITE NT\Système instead of NT AUTHORITY\SYSTEM. The ACL checker fails to recognize it as a trusted principal.

Changes

• Add localized SYSTEM names to TRUSTED_BASE: French (AUTORITE NT\Système), German (NT-AUTORITÄT\SYSTEM), Spanish (AUTORIDAD NT\SYSTEM), Portuguese (AUTORIDADE NT\SYSTEM)
• Add \système suffix to TRUSTED_SUFFIXES for French locale matching
• Diacritics-stripping fallback in classifyPrincipal: normalizes Unicode (NFD + strip combining marks) and re-checks against trusted sets, catching any locale not explicitly listed
• Use SID *S-1-5-18 in formatIcaclsResetCommand and createIcaclsResetCommand instead of hardcoded "SYSTEM" string — SID references work on all Windows locales

Tests

• Added tests for French, German, Spanish localized SYSTEM classification
• Added full-scenario test (French user + Système = all trusted)
• Added test verifying SID usage in reset commands
• All 40 tests pass

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 23891964e8

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Avoid trusting diacritic variants of privileged suffixes

The new diacritics fallback trusts any principal whose accent-stripped name ends with a trusted suffix, so non-privileged accounts like CORP\\Admīnistrators or CORP\\Système will now be classified as trusted even though they are not the built-in admin/SYSTEM identities. In environments where such similarly named domain/local principals exist, this can suppress fs.config.perms_writable findings and hide writable ACL exposure that was previously reported.

Useful? React with 👍 / 👎.

[greptile-apps]

Greptile Summary

This PR fixes a false positive security audit issue on non-English Windows systems where the SYSTEM account has localized names. The implementation correctly addresses the problem through three complementary strategies:

• Explicit localized names: Adds French (AUTORITE NT\Système), German (NT-AUTORITÄT\SYSTEM), Spanish (AUTORIDAD NT\SYSTEM), and Portuguese (AUTORIDADE NT\SYSTEM) to the trusted base set
• Diacritics-stripping fallback: Implements Unicode normalization (NFD) to handle locale variants not explicitly listed by stripping combining diacritical marks and rechecking against trusted patterns
• SID-based reset commands: Uses the locale-independent SID *S-1-5-18 instead of the hardcoded string "SYSTEM" in icacls reset commands, ensuring commands work across all Windows locales

The changes are well-tested with new test cases covering French, German, and Spanish variants, plus a full-scenario integration test. The diacritics-stripping logic is particularly clever, providing robustness against unknown locale variants while maintaining security. All formatting changes are automatic (likely from Prettier) and don't affect functionality.

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• The implementation is sound and well-tested. The three-pronged approach (explicit localized names, diacritics fallback, and SID usage) correctly handles the Windows localization issue. The diacritics-stripping logic using NFD normalization is properly implemented to catch edge cases. All 40 tests pass, including new tests specifically for the localized variants. The changes are backwards-compatible and don't modify any existing security assumptions. The only formatting changes are automatic and don't introduce any functional issues.
• No files require special attention

_{Last reviewed commit: 2389196}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bdf23c8504

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Limit accent-stripped trusted suffix matching to known principals

The diacritic fallback treats any principal whose accent-stripped name ends with a trusted suffix as trusted, so names like CORP\\Admīnistrators (or other accented variants of privileged suffixes) are now classified as trusted even when they are ordinary domain/local accounts. In inspectPathPermissions, those entries then drop out of untrustedGroup, which can suppress groupWritable/fs.config.perms_writable findings and hide writable ACL exposure on affected Windows environments.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7bc3e6b0c2

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Restrict French SYSTEM suffix trust to built-in identity

Adding "\\système" to TRUSTED_SUFFIXES makes classifyPrincipal trust any ACL principal whose name ends with that suffix, not just the built-in SYSTEM account (for example, CORP\\Système). In Windows ACL audits, those entries are removed from untrustedGroup, which can suppress groupWritable/fs.config.perms_writable findings and hide writable ACL exposure on French-localized hosts where similarly named non-privileged accounts exist.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c9a275cda4

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Narrow diacritic trusted-suffix matching

This fallback now strips diacritics and then applies suffix trust to every entry in TRUSTED_SUFFIXES, so non-built-in principals like CORP\\Admīnistrators or CORP\\Système are reclassified as trusted. That is a regression from the previous behavior for accented lookalikes, and it can hide writable ACL findings because summarizeWindowsAcl removes those entries from untrustedGroup before audit-fs computes groupWritable. Fresh evidence in this commit is the new stripped-suffix check at this location, which newly broadens trust beyond exact localized SYSTEM names.

Useful? React with 👍 / 👎.