Skip to content

fix(glob): enforce permissions on matched files#35683

Open
fengjikui wants to merge 1 commit into
anomalyco:devfrom
fengjikui:glob-permission-paths
Open

fix(glob): enforce permissions on matched files#35683
fengjikui wants to merge 1 commit into
anomalyco:devfrom
fengjikui:glob-permission-paths

Conversation

@fengjikui

@fengjikui fengjikui commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Issue for this PR

Closes #35684

Related to #29674, but scoped only to glob result-path permission enforcement.

Type of change

  • Bug fix
  • New feature
  • Refactor / code improvement
  • Documentation

What does this PR do?

glob previously asked permission only for the requested glob pattern. If that broad pattern was allowed, path-scoped deny rules never saw the files returned by ripgrep, so denied paths could still appear in the tool output.

This PR keeps the existing pattern permission check and adds a second permission check for the unique worktree-relative matched file paths before formatting results.

This is a narrow result-path permission fix and does not change wildcard matching semantics.

How did you verify your code works?

  • bun test --timeout 30000 test/tool/glob.test.ts
  • bun test --timeout 30000 test/tool/glob.test.ts test/tool/grep.test.ts test/tool/read.test.ts test/permission/next.test.ts
  • bun test --timeout 30000 test/tool
  • bun typecheck from packages/opencode
  • bunx prettier --check packages/opencode/src/tool/glob.ts packages/opencode/test/tool/glob.test.ts
  • git diff --check
  • bun run lint (passes with existing warnings, 0 errors)
  • pre-push bun turbo typecheck (30/30 tasks passed)

Screenshots / recordings

Not a UI change.

Checklist

  • I have tested my changes locally
  • I have not included unrelated changes in this PR

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Thanks for your contribution!

This PR doesn't have a linked issue. All PRs must reference an existing issue.

Please:

  1. Open an issue describing the bug/feature (if one doesn't exist)
  2. Add Fixes #<number> or Closes #<number> to this PR description

See CONTRIBUTING.md for details.

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

The following comment was made by an LLM, it may be inaccurate:

Related PR Found

#35682 - fix(grep): enforce permissions on matched files

This is a closely related PR that applies the same permission enforcement pattern to the grep tool. Both PRs address the same issue (#29674) by adding result-path permission checks to prevent denied paths from appearing in tool output. These PRs appear to be implementing the same fix across different tools in parallel.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

glob tool ignores deny rules for matched file paths

1 participant