Skip to main content

is_default_safe_fix

Function is_default_safe_fix 

Source
pub fn is_default_safe_fix(patch: &FixPatch) -> bool
Expand description

Audit #7: default safelist for FixPatch::RunCommand.

Sensors emitting RunCommand patches would otherwise be a silent arbitrary-code-execution channel. We restrict the program by name to a short list of well-known, side-effect-bounded formatters/fixers. Anything else returns false and the patch is rejected (write your own PreAutoFix hook returning HookOutcome::Allow to widen the policy).

ReplaceFile and UnifiedDiff are not restricted here — they only touch files inside the workspace and are covered by the symlink-safe path resolution in harness-tools-fs.