Source
ChatGPT security review feedback
Problem
validate_tool_path contains a #[cfg(test)] block that returns Ok(()) if SELFWARE_TEST_MODE is set, bypassing all path validation. Even under cfg(test), this normalizes the idea that safety checks are optional and is the kind of thing a security reviewer will screenshot.
Fix
Option A (recommended):
- Delete the env var bypass entirely
- For tests, inject a
SafetyConfig with an allowlist rooted in a temp dir
- If E2E fixtures need bypass, hard-restrict to
tests/e2e-projects/ with a compile-time flag
Option B (next-level — capability-based filesystem):
- Introduce a
WorkspaceRoot capability (like cap-std style)
- Require every file tool to operate relative to it
- Path validation becomes structural — escaping is impossible by design
Priority
P0 — credibility multiplier before public push
Labels
security, P0
Source
ChatGPT security review feedback
Problem
validate_tool_pathcontains a#[cfg(test)]block that returnsOk(())ifSELFWARE_TEST_MODEis set, bypassing all path validation. Even undercfg(test), this normalizes the idea that safety checks are optional and is the kind of thing a security reviewer will screenshot.Fix
Option A (recommended):
SafetyConfigwith an allowlist rooted in a temp dirtests/e2e-projects/with a compile-time flagOption B (next-level — capability-based filesystem):
WorkspaceRootcapability (likecap-stdstyle)Priority
P0 — credibility multiplier before public push
Labels
security, P0