Module safe_bin 

Safe absolute-path resolution for external binaries. Safe absolute-path resolution for external binaries we shell out to.

Defends against PATH injection (kimi-wave1 audit finding 3.PATH-x): Command::new("git") lets the user’s PATH decide which git we actually invoke. An attacker who can prepend a directory to PATH — a CI runner stage, a malicious dotfile, an override in ~/.config/fish/config.fish — substitutes their own binary. Since keyhog feeds the binary credential bytes (via env vars / argv / stdin during git scans), that’s a credential-exfil pivot.

This module enumerates a hardcoded allowlist of system binary directories and returns the FIRST match. Anything not in those dirs is refused. The allowlist is intentionally narrow — distro-shipped binaries only. If your environment legitimately needs a different path, set the KEYHOG_TRUSTED_BIN_DIR env var (colon-separated on Unix, semicolon-separated on Windows) — but be aware that anyone who can set that env var can already inject anyway, so the env-var path exists for ops convenience, not as a security boundary.

Functions

resolve_or_fallback

Resolve name or fall back to Command::new(name) semantics if nothing trusted was found. Intended for read-only / probe sites (hardware detection, version queries) where blocking the command would degrade UX more than the marginal risk warrants. Logs a warning so the operator knows the unsafe fallback fired.

resolve_safe_bin

Resolve name to an absolute path inside one of the trusted system binary directories. Returns None if not found in any trusted dir (do NOT fall back to Command::new(name) — that’s exactly the bug). Resolve a binary name to an absolute path, defending against PATH injection.