Severity: valid — behavior is correct, the specific test is missing.
Current protection holds:
- Paths are canonicalized before matching (
policy.rs:1426, policy.rs:1443; resolves ..).
is_always_forbidden blocks credential dirs.- Traversal tests exist (
policy_tests.rs:709 blocks ../../root/.ssh/..., ~/.ssh).
What is NOT tested is the reviewer's exact case: a granted trusted_root + .. escaping into ~/.ssh.
Action: add the regression test for that case. (The protection holds today; this just locks it in.)
(Origin: review comments #3 / #10.)
Severity: valid — behavior is correct, the specific test is missing.
Current protection holds:
policy.rs:1426,policy.rs:1443; resolves..).is_always_forbiddenblocks credential dirs.policy_tests.rs:709blocks../../root/.ssh/...,~/.ssh).What is NOT tested is the reviewer's exact case: a granted
trusted_root+..escaping into~/.ssh.Action: add the regression test for that case. (The protection holds today; this just locks it in.)
(Origin: review comments
#3/#10.)