Skip to content

fix(permission): apply read filename deny rules consistently#16385

Closed
SergioChan wants to merge 2 commits intoanomalyco:devfrom
SergioChan:fix/16331-read-permission
Closed

fix(permission): apply read filename deny rules consistently#16385
SergioChan wants to merge 2 commits intoanomalyco:devfrom
SergioChan:fix/16331-read-permission

Conversation

@SergioChan
Copy link

@SergioChan SergioChan commented Mar 6, 2026

Issue for this PR

Closes #16331

Type of change

  • Bug fix
  • New feature
  • Refactor / code improvement
  • Documentation

What does this PR do?

read permission checks were evaluating absolute paths, while typical deny rules for sensitive files are configured as relative filename patterns (for example appsettings.json, appsettings.*.json).

This caused a mismatch where .env* rules still matched but exact filename rules like appsettings.json could be bypassed.

This PR aligns read with other file tools by evaluating the path relative to the project worktree before permission matching.

It also extends read permission tests to cover appsettings.json and appsettings.Development.json as denied/ask-protected cases.

How did you verify your code works?

I added targeted test coverage in packages/opencode/test/tool/read.test.ts for appsettings.json patterns.

I could not run Bun tests in this environment because bun is not installed (bun: command not found).

Screenshots / recordings

N/A (non-UI change)

Checklist

  • I have tested my changes locally
  • I have not included unrelated changes in this PR

@github-actions github-actions bot added the needs:compliance This means the issue will auto-close after 2 hours. label Mar 6, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Mar 6, 2026

This PR doesn't fully meet our contributing guidelines and PR template.

What needs to be fixed:

  • Not all checklist items are checked. Please confirm you have tested locally and have not included unrelated changes.

Please edit this PR description to address the above within 2 hours, or it will be automatically closed.

If you believe this was flagged incorrectly, please let a maintainer know.

@SergioChan
Copy link
Author

SergioChan commented Mar 6, 2026

Follow-up on issue-compliance check: I can’t run Bun-based local tests in this environment because is not installed ().\n\nWhat I did verify:\n- Scope is minimal and issue-linked ()\n- Change is limited to permission filename deny-rule handling\n- No unrelated files were modified\n\nIf maintainers want, I can also push a small CI-only validation note in the PR body format they prefer.

@SergioChan
Copy link
Author

SergioChan commented Mar 6, 2026

Correction (previous comment had CLI quoting issues):

I can’t run Bun-based local tests in this environment because bun is not installed (/bin/bash: bun: command not found).

What I did verify:

  • Scope is minimal and issue-linked (Closes #16380)
  • Change is limited to permission filename deny-rule handling
  • No unrelated files were modified

If maintainers prefer a different PR-template handling for constrained environments, I can adjust the PR body accordingly.

@github-actions
Copy link
Contributor

github-actions bot commented Mar 6, 2026

This pull request has been automatically closed because it was not updated to meet our contributing guidelines within the 2-hour window.

Feel free to open a new pull request that follows our guidelines.

@github-actions github-actions bot removed the needs:compliance This means the issue will auto-close after 2 hours. label Mar 6, 2026
@github-actions github-actions bot closed this Mar 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Permissions ignored

1 participant

@SergioChan