Harden tool authorization: sensitive settings, deferred ops, copy/move patterns#48641
Merged
Harden tool authorization: sensitive settings, deferred ops, copy/move patterns#48641
Conversation
- Add normalize_path function to resolve .., ., and redundant separators
- Add decide_permission_for_path wrapper that normalizes before checking
- Add expand_rm_to_single_path_commands to handle multi-path rm commands
- Normalize paths in rm commands before checking hardcoded security rules
- Normalize suffix after $HOME/${HOME} variable references
- Handle -- end-of-options marker in rm commands
- Handle trailing flags after path operand (GNU rm accepts this)
- Broaden FLAGS regex to accept digits, underscores, and uppercase
- Handle tabs/any whitespace after rm command name
- Preserve .. components that traverse above start path
- Preserve leading / for absolute paths in normalize_path
- Extensive test coverage for all edge cases
…e patterns Tool authorization improvements across all file/directory tools: - Protect sensitive settings paths (.zed/, global config) even with default: allow, requiring confirmation for modifications - Defer filesystem operations until after authorization in copy, move, create_directory, and delete tools - Add (local settings) / (settings) annotation to auth dialog titles - streaming_edit_file shares edit_file's tool name for permissions - authorize_file_edit refactored to accept tool_name parameter - sensitive_settings_kind walks up ancestors for non-existent subdirs - Copy/move tools include both source and destination in permission checks - Copy/move always-allow patterns cover common parent directory - Save tool shows only confirmation-needing paths in dialog title - Save tool annotates sensitive settings in dialog title
- pattern_extraction: Add normalize_separators() to convert backslashes to forward slashes in regex patterns, fixing 4 test failures on Windows where Path/PathBuf uses backslash separators. - edit_file_tool: Add safe_canonicalize() to strip the \\?\ prefix that std::fs::canonicalize adds on Windows, fixing 2 test failures where starts_with comparison failed due to prefix mismatch.
naaiyy
added a commit
to Glass-HQ/Glass
that referenced
this pull request
Feb 16, 2026
Key changes: - LSP folding ranges support (zed-industries#48611) - textDocument/foldingRange with custom fold text - LSP refactoring (zed-industries#48604) - extracted document_colors, code_lens, folding_ranges into modules - Crate graph restructuring (zed-industries#48602) - terminal moved closer to editor - Side-by-side diff searching (zed-industries#48539) and OpenExcerpts for LHS (zed-industries#48438) - SplittableEditor: sync custom blocks between RHS/LHS (zed-industries#48575) - Thinking effort for Zed/OpenAI providers (zed-industries#48545, zed-industries#48605) - Agent default_model.enable_thinking setting (zed-industries#48536) - Configurable LSP timeout setting (zed-industries#44745) - PaneSearchBarCallbacks global (search bar setup extracted from vim) - Settings migrations for nested platform/channel/profile keys (zed-industries#48550) - Shell parser: I/O redirects, here-documents, compound commands (zed-industries#48635) - Hardened tool authorization: sensitive settings, deferred ops (zed-industries#48641) - rm security bypass fixes (zed-industries#48640, zed-industries#48647) - MCP tool name parsing fix: newline delimiter (zed-industries#48636) - Canonicalize --user-data-dir path (zed-industries#48470) - Fix text_threads_dir XDG spec compliance (zed-industries#45771) - Buffer font for folds (zed-industries#48652) - Multibuffer toolbar layout shift fix (zed-industries#48472) - Editor: tabs bitmask syncing (zed-industries#48366) Conflict resolution: - collab tests: deleted (collab removed) - util/archive.rs, util/shell.rs: deleted (extracted to Obsydian) - copilot_ui/sign_in.rs: kept native_button style - editor_tests.rs: merged imports (kept MoveItemToPaneInDirection, added ViewId/FollowEvent) - lsp_store.rs: took upstream refactored imports, added FoldingRangeData, removed collab imports - main.rs: added PaneSearchBarCallbacks, removed vim::init Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR hardens the authorization flow for all file and directory tools.
Sensitive settings protection
All file/directory tools (copy, move, create_directory, delete, save, edit, streaming_edit) now detect and protect sensitive settings paths:
.zed/directories (local settings)~/.config/zed/or equivalent)Even when the global default is
allow, modifications to these paths require explicit confirmation. The authorization dialog title is annotated with "(local settings)" or "(settings)" to inform the user.sensitive_settings_kindwalks up ancestor directories to handle paths where intermediate subdirectories don't exist yet (e.g.~/.config/zed/new_subdir/evil.json).Deferred filesystem operations
Copy, move, create_directory, and delete tools now defer all project/filesystem operations until after the user authorizes the action. Previously, some tools began resolving project paths or traversing directories before authorization.
streaming_edit_file permissions
streaming_edit_filenow sharesedit_file's tool name for permission checks, ensuring consistent permission rules between the two edit tool variants. The duplicated authorization logic is replaced by a sharedauthorize_file_editfunction.Copy/move pattern extraction
Copy and move tools now include both source and destination paths in their permission context (
input_value). The always-allow pattern is extracted from the common parent directory of both paths, ensuring the pattern covers future checks against both.Save tool improvements
Release Notes: