fix(opencode): enforce read deny rules in glob and grep results#29755
Open
Qingzhou-Joshua wants to merge 6 commits into
Open
fix(opencode): enforce read deny rules in glob and grep results#29755Qingzhou-Joshua wants to merge 6 commits into
Qingzhou-Joshua wants to merge 6 commits into
Conversation
`**/` now correctly matches root-level files (e.g. `**/.env*` matches `.env`). The placeholder is expanded after `*` and `?` substitution to avoid those passes corrupting the already-expanded regex fragment. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds a new `evaluate()` method to Tool.Context that silently checks a permission rule against the merged agent+session ruleset without triggering the ask UI. This enables glob and grep tools to filter out denied file paths from their results in a future change. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…co#29674) After ripgrep collects glob results, filter out any file whose path relative to the worktree matches a "read" deny rule via ctx.evaluate(). This prevents denied files (e.g. .env) from leaking into glob output even when the global glob permission is allowed. Also adds a test file and updates the glob test mock context with the evaluate() method. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…co#29674) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…y rule enforcement Appends a new describe block with three integration tests that verify: 1. User config deny rule blocks .env at root for read 2. User config deny rule blocks .env in subfolders for read 3. Default agent rules handle .env files via pattern matching These tests exercise the complete fix for issue anomalyco#29674, which includes: - Wildcard fix for **/ to match root-level files - glob tool filtering against read deny rules - grep tool filtering against read deny rules Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ntegration tests
Contributor
|
Hey! Your PR title Please update it to start with one of:
Where See CONTRIBUTING.md for details. |
Contributor
|
The following comment was made by an LLM, it may be inaccurate: I found one related PR that may be relevant to this work: Related PR:
The other search result (#28475) is about bash environment variable patterns, which is less directly related. Recommendation: Check if #28689 has already been merged and whether its fixes conflict with or complement the wildcard fixes in the current PR. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue for this PR
Closes #29674
Type of change
What does this PR do?
The
**/.env*deny rule inopencode.jsoncwasn't working because of threeseparate bugs:
1.
**/wildcard bug (root cause)In
wildcard.ts, the**/pattern was being processed in the wrong order.The code first escaped regex special chars, which turned
**/into.**/,then replaced all
*with.*, meaning the placeholder for**/gotdouble-expanded. The result was a regex like
(.*/)+\.env.*(one-or-moresegments) instead of
(.*/)? \.env.*(zero-or-more). So**/.env*nevermatched
.envsitting directly at the project root.The fix stashes
**/as a placeholder character (\x01) before any otherprocessing, then expands it to
(.*/)?last, after all*and?substitutions are done.
2.
globtool not filtering resultsEven if the wildcard was correct, the glob tool was returning all ripgrep
matches without checking read deny rules on the result paths. Fixed by
filtering the file list against
ctx.evaluate({ permission: "read", pattern: relPath })before output.3.
greptool not filtering resultsSame issue — grep result rows weren't checked against read deny rules. Fixed
the same way.
To wire up the filtering, I added an
evaluate()method toTool.Contextthat does a silent, synchronous permission check against static config rules
only (unlike
ask()which also includes runtime-approved rules and triggersthe UI).
How did you verify your code works?
packages/core/test/util/wildcard.test.tsspecifically for
**/root-level matchingpackages/opencode/test/permission/file-pattern.test.tscovering the fullscenario from the issue:
Permission.fromConfig({ read: { "**/.env*": "deny" } })now correctly denies.env,.env.localat root and in subdirectories,and the glob/grep filtering logic works correctly
Screenshots / recordings
N/A — not a UI change
Checklist