ggen-cli-validation 5.1.2

IO validation and security for ggen CLI operations
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252

//! Security and permission model for CLI operations
//!
//! Implements a permission-based security model for validating
//! read, write, and execute operations.

use crate::error::{Result, ValidationError};
use std::path::{Path, PathBuf};

/// Permission types for operations
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum Permission {
    /// Read permission
    Read,
    /// Write permission
    Write,
    /// Execute permission (for running commands)
    Execute,
}

/// Permission model for validating operations
#[derive(Debug, Clone)]
pub struct PermissionModel {
    /// Allowed read paths (patterns)
    allowed_read_paths: Vec<PathBuf>,
    /// Allowed write paths (patterns)
    allowed_write_paths: Vec<PathBuf>,
    /// Sandbox root (if enabled)
    sandbox_root: Option<PathBuf>,
    /// Environment variable restrictions
    restricted_env_vars: Vec<String>,
}

impl Default for PermissionModel {
    fn default() -> Self {
        Self::new()
    }
}

impl PermissionModel {
    /// Create a new permission model with permissive default settings
    /// Allows all operations unless explicitly restricted by sandbox
    #[must_use]
    pub fn new() -> Self {
        Self {
            allowed_read_paths: vec![],  // Empty means allow all
            allowed_write_paths: vec![], // Empty means allow all
            sandbox_root: None,
            restricted_env_vars: vec!["PATH".to_string(), "HOME".to_string(), "USER".to_string()],
        }
    }

    /// Enable sandbox mode with a root directory
    #[must_use]
    pub fn with_sandbox(mut self, root: PathBuf) -> Self {
        self.sandbox_root = Some(root);
        self
    }

    /// Add allowed read path
    #[must_use]
    pub fn allow_read(mut self, path: PathBuf) -> Self {
        self.allowed_read_paths.push(path);
        self
    }

    /// Add allowed write path
    #[must_use]
    pub fn allow_write(mut self, path: PathBuf) -> Self {
        self.allowed_write_paths.push(path);
        self
    }

    /// Check if a path is allowed for the given permission
    pub fn check_permission(&self, path: &Path, permission: Permission) -> Result<()> {
        // First check path traversal
        self.check_path_traversal(path)?;

        // Check sandbox constraints
        if let Some(sandbox_root) = &self.sandbox_root {
            self.check_sandbox(path, sandbox_root)?;
        }

        // Check specific permission
        match permission {
            Permission::Read => self.check_read_permission(path),
            Permission::Write => self.check_write_permission(path),
            Permission::Execute => Ok(()), // Execute permissions handled separately
        }
    }

    /// Check for path traversal attempts
    fn check_path_traversal(&self, path: &Path) -> Result<()> {
        let path_str = path.to_string_lossy();

        // Check for dangerous path traversal patterns (../ going up directories)
        if path_str.contains("../") || path_str.starts_with("..") {
            return Err(ValidationError::PathTraversal {
                path: path_str.to_string(),
            });
        }

        Ok(())
    }

    /// Check sandbox constraints
    fn check_sandbox(&self, path: &Path, sandbox_root: &Path) -> Result<()> {
        let canonical_path = path.canonicalize().or_else(|_| {
            // If path doesn't exist yet, check parent
            path.parent()
                .and_then(|p| p.canonicalize().ok())
                .ok_or(ValidationError::InvalidPath {
                    path: path.display().to_string(),
                    reason: "Cannot canonicalize path".to_string(),
                })
        })?;

        let canonical_root =
            sandbox_root
                .canonicalize()
                .map_err(|e| ValidationError::InvalidPath {
                    path: sandbox_root.display().to_string(),
                    reason: format!("Cannot canonicalize sandbox root: {e}"),
                })?;

        if !canonical_path.starts_with(&canonical_root) {
            return Err(ValidationError::SandboxViolation {
                reason: format!(
                    "Path {} is outside sandbox {}",
                    canonical_path.display(),
                    canonical_root.display()
                ),
            });
        }

        Ok(())
    }

    /// Check read permission for path
    fn check_read_permission(&self, path: &Path) -> Result<()> {
        if self.is_path_allowed(path, &self.allowed_read_paths) {
            Ok(())
        } else {
            Err(ValidationError::PermissionDenied {
                operation: "read".to_string(),
                path: path.display().to_string(),
            })
        }
    }

    /// Check write permission for path
    fn check_write_permission(&self, path: &Path) -> Result<()> {
        if self.is_path_allowed(path, &self.allowed_write_paths) {
            Ok(())
        } else {
            Err(ValidationError::PermissionDenied {
                operation: "write".to_string(),
                path: path.display().to_string(),
            })
        }
    }

    /// Check if path matches any allowed patterns
    /// Empty allowed_paths means allow all (permissive default)
    fn is_path_allowed(&self, path: &Path, allowed_paths: &[PathBuf]) -> bool {
        if allowed_paths.is_empty() {
            return true; // Permissive default
        }
        allowed_paths.iter().any(|allowed| {
            // Simple prefix matching for now
            path.starts_with(allowed)
        })
    }

    /// Check if environment variable is restricted
    #[must_use]
    pub fn is_env_var_restricted(&self, var: &str) -> bool {
        self.restricted_env_vars.contains(&var.to_string())
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use std::env;

    #[test]
    fn test_default_permission_model() {
        let model = PermissionModel::new();
        assert!(model.sandbox_root.is_none());
        // Permissive default - empty paths mean allow all
        assert!(model.allowed_read_paths.is_empty());
    }

    #[test]
    fn test_path_traversal_detection() {
        let model = PermissionModel::new();
        let traversal_path = Path::new("../../../etc/passwd");

        let result = model.check_path_traversal(traversal_path);
        assert!(result.is_err());
    }

    #[test]
    fn test_sandbox_enforcement() {
        let temp_dir = env::temp_dir();
        let model = PermissionModel::new().with_sandbox(temp_dir.clone());

        // Path inside sandbox should be allowed
        let inside_path = temp_dir.join("test.txt");
        assert!(model.check_sandbox(&inside_path, &temp_dir).is_ok());

        // Path outside sandbox should be denied
        let outside_path = Path::new("/etc/passwd");
        assert!(model.check_sandbox(outside_path, &temp_dir).is_err());
    }

    #[test]
    fn test_read_write_permissions() {
        // Create restrictive model with specific allowed paths
        let mut model = PermissionModel::new();
        model.allowed_read_paths = vec![PathBuf::from("./src")];
        model.allowed_write_paths = vec![PathBuf::from("./target")];

        // Read permission - allowed
        assert!(model
            .check_permission(Path::new("./src/lib.rs"), Permission::Read)
            .is_ok());

        // Write permission - allowed
        assert!(model
            .check_permission(Path::new("./target/output"), Permission::Write)
            .is_ok());

        // Read permission - denied (not in allowed paths)
        assert!(model
            .check_permission(Path::new("./target/lib.rs"), Permission::Read)
            .is_err());

        // Write permission - denied (not in allowed paths)
        assert!(model
            .check_permission(Path::new("./src/output"), Permission::Write)
            .is_err());
    }

    #[test]
    fn test_env_var_restrictions() {
        let model = PermissionModel::new();
        assert!(model.is_env_var_restricted("PATH"));
        assert!(model.is_env_var_restricted("HOME"));
        assert!(!model.is_env_var_restricted("MY_CUSTOM_VAR"));
    }
}