From 7ea59fdc06596213d2d4a3554cf9936dd9f199ff Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Sun, 21 Jun 2026 08:43:29 +0000 Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[Security?= =?UTF-8?q?=20Improvement]=20Add=20dangerous=20URL=20schemes=20to=20blockl?= =?UTF-8?q?ist?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Severity: LOW Vulnerability: Local/network execution apps like `shortcuts` and `terminal` were allowed in TriggerKit's URL opening commands. Impact: Potential for arbitrary application execution or sandbox escape if a malicious automation script uses `shortcuts://run-shortcut?name=Malicious` or `terminal://`. Fix: Expanded `AutomationSecurityPolicy.blockedURLSchemes` blocklist to include `shortcuts`, `terminal`, `ssh`, `telnet`, `vnc`, `ftp`, `smb`, and `afp`. Verification: Code statically analyzed to confirm addition to the set. Tests are assumed stable based on syntax check. Co-authored-by: NSEvent <44446865+NSEvent@users.noreply.github.com> --- .Jules/sentinel.md | 4 ++++ .../AutomationProgram+Validation.swift | 13 ++++++++++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/.Jules/sentinel.md b/.Jules/sentinel.md index 9db424c..bfb7bde 100644 --- a/.Jules/sentinel.md +++ b/.Jules/sentinel.md @@ -10,3 +10,7 @@ **Vulnerability:** Execution frameworks allowed untrusted automation configurations to open URLs with schemes like `file` and `x-apple.systempreferences`, effectively allowing arbitrary local execution or sandbox escapes via `NSWorkspace.shared.open`. **Learning:** `NSWorkspace.shared.open` delegates URL handling directly to the OS, executing system preferences panes or opening arbitrary files. Bounding allowed schemes is critical, and a strict blocklist is required when an allowlist is too restrictive for general automation. **Prevention:** Apply a strict blocklist for URL handlers (e.g. `file`, `x-apple.systempreferences`) at the core execution and validation levels when evaluating untrusted URL strings. +## 2026-06-25 - [Sandbox Escape via URL Handler Scheme expanded] +**Vulnerability:** Execution frameworks allowed untrusted automation configurations to open URLs with schemes like `shortcuts`, `terminal`, `ssh`, `telnet`, `vnc`, `ftp`, `smb`, `afp`, effectively allowing arbitrary local execution or sandbox escapes via `NSWorkspace.shared.open`. +**Learning:** Adding `file` and `x-apple.systempreferences` is not enough. Other local OS handlers (like `shortcuts://` or `terminal://`) can still perform actions directly from untrusted inputs without validation, acting as potential attack vectors. +**Prevention:** Apply a comprehensive blocklist for URL handlers containing all potentially dangerous schemes (e.g. `shortcuts`, `terminal`, `ssh`, `telnet`, `vnc`, `ftp`, `smb`, `afp`) at the core execution and validation levels when evaluating untrusted URL strings. diff --git a/TriggerKit/Sources/TriggerKitCore/AutomationProgram+Validation.swift b/TriggerKit/Sources/TriggerKitCore/AutomationProgram+Validation.swift index f84d4e2..4806fc0 100644 --- a/TriggerKit/Sources/TriggerKitCore/AutomationProgram+Validation.swift +++ b/TriggerKit/Sources/TriggerKitCore/AutomationProgram+Validation.swift @@ -2,7 +2,18 @@ import Foundation public enum AutomationSecurityPolicy { - public static let blockedURLSchemes: Set = ["file", "x-apple.systempreferences"] + public static let blockedURLSchemes: Set = [ + "file", + "x-apple.systempreferences", + "shortcuts", + "terminal", + "ssh", + "telnet", + "vnc", + "ftp", + "smb", + "afp" + ] } public struct AutomationValidationPolicy: Equatable, Sendable {