diff --git a/.Jules/sentinel.md b/.Jules/sentinel.md index 9db424c..bfb7bde 100644 --- a/.Jules/sentinel.md +++ b/.Jules/sentinel.md @@ -10,3 +10,7 @@ **Vulnerability:** Execution frameworks allowed untrusted automation configurations to open URLs with schemes like `file` and `x-apple.systempreferences`, effectively allowing arbitrary local execution or sandbox escapes via `NSWorkspace.shared.open`. **Learning:** `NSWorkspace.shared.open` delegates URL handling directly to the OS, executing system preferences panes or opening arbitrary files. Bounding allowed schemes is critical, and a strict blocklist is required when an allowlist is too restrictive for general automation. **Prevention:** Apply a strict blocklist for URL handlers (e.g. `file`, `x-apple.systempreferences`) at the core execution and validation levels when evaluating untrusted URL strings. +## 2026-06-25 - [Sandbox Escape via URL Handler Scheme expanded] +**Vulnerability:** Execution frameworks allowed untrusted automation configurations to open URLs with schemes like `shortcuts`, `terminal`, `ssh`, `telnet`, `vnc`, `ftp`, `smb`, `afp`, effectively allowing arbitrary local execution or sandbox escapes via `NSWorkspace.shared.open`. +**Learning:** Adding `file` and `x-apple.systempreferences` is not enough. Other local OS handlers (like `shortcuts://` or `terminal://`) can still perform actions directly from untrusted inputs without validation, acting as potential attack vectors. +**Prevention:** Apply a comprehensive blocklist for URL handlers containing all potentially dangerous schemes (e.g. `shortcuts`, `terminal`, `ssh`, `telnet`, `vnc`, `ftp`, `smb`, `afp`) at the core execution and validation levels when evaluating untrusted URL strings. diff --git a/TriggerKit/Sources/TriggerKitCore/AutomationProgram+Validation.swift b/TriggerKit/Sources/TriggerKitCore/AutomationProgram+Validation.swift index f84d4e2..4806fc0 100644 --- a/TriggerKit/Sources/TriggerKitCore/AutomationProgram+Validation.swift +++ b/TriggerKit/Sources/TriggerKitCore/AutomationProgram+Validation.swift @@ -2,7 +2,18 @@ import Foundation public enum AutomationSecurityPolicy { - public static let blockedURLSchemes: Set = ["file", "x-apple.systempreferences"] + public static let blockedURLSchemes: Set = [ + "file", + "x-apple.systempreferences", + "shortcuts", + "terminal", + "ssh", + "telnet", + "vnc", + "ftp", + "smb", + "afp" + ] } public struct AutomationValidationPolicy: Equatable, Sendable {