🛡️ Sentinel: [HIGH] Fix Sandbox Escape via URL Handler Scheme

[NSEvent]

🛡️ Sentinel: [HIGH] Fix Sandbox Escape via URL Handler Scheme

🚨 Severity: HIGH
💡 Vulnerability: Execution frameworks allowed untrusted automation configurations to open URLs with schemes like file and x-apple.systempreferences, effectively allowing arbitrary local execution or sandbox escapes via NSWorkspace.shared.open.
🎯 Impact: Attackers could use automation steps to execute local files or open system settings maliciously.
🔧 Fix: Added a strict blocklist for URL handlers (e.g. file, x-apple.systempreferences) at the core execution and validation levels when evaluating untrusted URL strings in TriggerKit.
✅ Verification: Statically verified the code changes to ensure the blocklist properly prevents file and x-apple.systempreferences execution.

---

PR created automatically by Jules for task 1944738734155530959 started by @NSEvent

Summary by CodeRabbit

• Bug Fixes
  • Strengthened automation URL handling by blocking dangerous URL schemes (including file:// and system preference schemes) before any external opening occurs.
  • Added clear validation feedback when a disallowed URL scheme is detected, reducing the risk of sandbox escape via URL handler schemes.
• Documentation
  • Updated the security sentinel record for 2026-06-16 to reflect the vulnerability and the implemented mitigation.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 680edc05-f26c-47a1-971c-f58ca752b333

📥 Commits

Reviewing files that changed from the base of the PR and between d3337f1 and 6494f9c.

📒 Files selected for processing (2)

• TriggerKit/Sources/TriggerKitCore/AutomationProgram+Validation.swift
• TriggerKit/Sources/TriggerKitRuntime/AutomationExecutor.swift

🚧 Files skipped from review as they are similar to previous changes (1)

• TriggerKit/Sources/TriggerKitCore/AutomationProgram+Validation.swift

---

📝 Walkthrough

Walkthrough

A hardcoded blocklist of dangerous URL schemes (file, x-apple.systempreferences) is added at both the validation layer (AutomationProgram+Validation.swift) and the execution layer (AutomationExecutor.swift). A sentinel doc entry records the vulnerability and the dual-layer mitigation strategy.

Changes

URL Scheme Blocklist for Sandbox Escape Prevention

Layer / File(s)	Summary
Validation and execution scheme blocklist TriggerKit/Sources/TriggerKitCore/AutomationProgram+Validation.swift, TriggerKit/Sources/TriggerKitRuntime/AutomationExecutor.swift, .Jules/sentinel.md	AutomationSecurityPolicy public enum defines blockedURLSchemes set; AutomationProgram.validateURL rejects blocked schemes with a disallowedURLScheme issue; AutomationExecutor.openURL adds an early guard returning a security failure before NSWorkspace.shared.open is reached; sentinel doc records the sandbox-escape vulnerability and dual-layer blocklist mitigation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• NSEvent/xbox-controller-mapper#57: Implements the same pattern of restricting URL schemes before calling system URL-opening APIs, using an allowlist (http/https) where this PR uses a blocklist.

Poem

🐇 A rabbit guards the gate with care,
No file:// schemes shall pass from there!
x-apple knocked but was turned away,
The blocklist holds both night and day.
Hop safely through — the path is clear! 🛡️

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: fixing a sandbox escape vulnerability via URL handler schemes. It is specific, concise, and directly related to the primary security fix across all modified files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sentinel-fix-url-scheme-vulnerability-1944738734155530959

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

TriggerKit/Sources/TriggerKitRuntime/AutomationExecutor.swift (1)

453-456: ⚡ Quick win

Centralize blocked URL schemes to avoid policy drift.

Line 453 duplicates the same security-critical scheme list already defined in validation. Move this set to a shared constant in TriggerKitCore and consume it in both layers so validation/runtime can’t diverge over time.

Proposed direction

- let blockedSchemes: Set<String> = ["file", "x-apple.systempreferences"]
- if blockedSchemes.contains(scheme) {
+ if URLSchemeSecurity.blocked.contains(scheme) {
    return .failure("URL scheme blocked for security: \(scheme)")
  }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@TriggerKit/Sources/TriggerKitRuntime/AutomationExecutor.swift` around lines
453 - 456, The blockedSchemes set is hardcoded in the AutomationExecutor
security check and duplicated elsewhere in the validation layer, creating risk
of policy drift between the two layers. Extract the blockedSchemes Set as a
shared constant in TriggerKitCore and replace all hardcoded instances in
AutomationExecutor and the validation layer with references to this centralized
constant, ensuring both layers always consume the same security-critical scheme
list.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@TriggerKit/Sources/TriggerKitRuntime/AutomationExecutor.swift`:
- Around line 453-456: The blockedSchemes set is hardcoded in the
AutomationExecutor security check and duplicated elsewhere in the validation
layer, creating risk of policy drift between the two layers. Extract the
blockedSchemes Set as a shared constant in TriggerKitCore and replace all
hardcoded instances in AutomationExecutor and the validation layer with
references to this centralized constant, ensuring both layers always consume the
same security-critical scheme list.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 816e3cab-9e43-40e4-9321-b81b9665bc79

📥 Commits

Reviewing files that changed from the base of the PR and between 214466f and d3337f1.

📒 Files selected for processing (3)

• .Jules/sentinel.md
• TriggerKit/Sources/TriggerKitCore/AutomationProgram+Validation.swift
• TriggerKit/Sources/TriggerKitRuntime/AutomationExecutor.swift

[NSEvent]

@jules Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @TriggerKit/Sources/TriggerKitRuntime/AutomationExecutor.swift:

• Around line 453-456: The blockedSchemes set is hardcoded in the
  AutomationExecutor security check and duplicated elsewhere in the validation
  layer, creating risk of policy drift between the two layers. Extract the
  blockedSchemes Set as a shared constant in TriggerKitCore and replace all
  hardcoded instances in AutomationExecutor and the validation layer with
  references to this centralized constant, ensuring both layers always consume the
  same security-critical scheme list.

[google-labs-jules]

@jules Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @TriggerKit/Sources/TriggerKitRuntime/AutomationExecutor.swift:

• Around line 453-456: The blockedSchemes set is hardcoded in the
  AutomationExecutor security check and duplicated elsewhere in the validation
  layer, creating risk of policy drift between the two layers. Extract the
  blockedSchemes Set as a shared constant in TriggerKitCore and replace all
  hardcoded instances in AutomationExecutor and the validation layer with
  references to this centralized constant, ensuring both layers always consume the
  same security-critical scheme list.

I have extracted the blockedSchemes set into a centralized AutomationSecurityPolicy.blockedURLSchemes constant within TriggerKitCore. Both AutomationExecutor and the validation layer now reference this shared constant to ensure consistent security policy enforcement without risk of drift.