fix: permission checks not enforcing deny settings

Author: rekram1-node

.opencode/opencode.jsonc

@@ -8,4 +8,7 @@
       },
     },
   },
+  "permission": {
+    "external_directory": "ask"
+  }
 }

packages/opencode/src/agent/agent.ts

@@ -250,8 +250,8 @@ function mergeAgentPermissions(basePermission: any, overridePermission: any): Ag
     edit: merged.edit ?? "allow",
     webfetch: merged.webfetch ?? "allow",
     bash: mergedBash ?? { "*": "allow" },
-    doom_loop: merged.doom_loop,
-    external_directory: merged.external_directory,
+    doom_loop: merged.doom_loop ?? "ask",
+    external_directory: merged.external_directory ?? "ask",
   }
 
   return result

packages/opencode/src/session/processor.ts

@@ -147,7 +147,10 @@ export namespace SessionProcessor {
                       )
                     ) {
                       const permission = await Agent.get(input.assistantMessage.mode).then((x) => x.permission)
-                      if (permission.doom_loop === "ask") {
+                      // Secure default: only allow if explicitly set to "allow" or "ask"
+                      if (permission.doom_loop === "allow") {
+                        // Explicitly allowed, proceed
+                      } else if (permission.doom_loop === "ask") {
                         await Permission.ask({
                           type: "doom_loop",
                           pattern: value.toolName,
@@ -160,6 +163,11 @@ export namespace SessionProcessor {
                             input: value.input,
                           },
                         })
+                      } else {
+                        // Default deny for "deny", undefined, null, or any other value
+                        throw new Error(
+                          `Permission denied: Possible doom loop detected - "${value.toolName}" called ${DOOM_LOOP_THRESHOLD} times with identical arguments`,
+                        )
                       }
                     }
                   }

packages/opencode/src/tool/bash.ts

@@ -108,12 +108,10 @@ export const BashTool = Tool.define("bash", {
       // always allow cd if it passes above check
       if (command[0] !== "cd") {
         const action = Wildcard.allStructured({ head: command[0], tail: command.slice(1) }, permissions)
-        if (action === "deny") {
-          throw new Error(
-            `The user has specifically restricted access to this command, you are not allowed to execute it. Here is the configuration: ${JSON.stringify(permissions)}`,
-          )
-        }
-        if (action === "ask") {
+        // Secure default: only allow if explicitly set to "allow" or "ask"
+        if (action === "allow") {
+          // Explicitly allowed, proceed
+        } else if (action === "ask") {
           const pattern = (() => {
             if (command.length === 0) return
             const head = command[0]
@@ -124,6 +122,11 @@ export const BashTool = Tool.define("bash", {
           if (pattern) {
             askPatterns.add(pattern)
           }
+        } else {
+          // Default deny for "deny", undefined, null, or any other value
+          throw new Error(
+            `Permission denied: Command not allowed by bash permissions. Command: ${command[0]}. Configuration: ${JSON.stringify(permissions)}`,
+          )
         }
       }
     }

packages/opencode/src/tool/edit.ts

@@ -44,7 +44,10 @@ export const EditTool = Tool.define("edit", {
     const filePath = path.isAbsolute(params.filePath) ? params.filePath : path.join(Instance.directory, params.filePath)
     if (!Filesystem.contains(Instance.directory, filePath)) {
       const parentDir = path.dirname(filePath)
-      if (agent.permission.external_directory === "ask") {
+      // Secure default: only allow if explicitly set to "allow" or "ask"
+      if (agent.permission.external_directory === "allow") {
+        // Explicitly allowed, proceed
+      } else if (agent.permission.external_directory === "ask") {
         await Permission.ask({
           type: "external_directory",
           pattern: parentDir,
@@ -57,6 +60,9 @@ export const EditTool = Tool.define("edit", {
             parentDir,
           },
         })
+      } else {
+        // Default deny for "deny", undefined, null, or any other value
+        throw new Error(`Permission denied: Cannot edit file outside working directory: ${filePath}`)
       }
     }
 
@@ -67,7 +73,10 @@ export const EditTool = Tool.define("edit", {
       if (params.oldString === "") {
         contentNew = params.newString
         diff = trimDiff(createTwoFilesPatch(filePath, filePath, contentOld, contentNew))
-        if (agent.permission.edit === "ask") {
+        // Secure default: only allow if explicitly set to "allow" or "ask"
+        if (agent.permission.edit === "allow") {
+          // Explicitly allowed, proceed
+        } else if (agent.permission.edit === "ask") {
           await Permission.ask({
             type: "edit",
             sessionID: ctx.sessionID,
@@ -79,6 +88,9 @@ export const EditTool = Tool.define("edit", {
               diff,
             },
           })
+        } else {
+          // Default deny for "deny", undefined, null, or any other value
+          throw new Error(`Permission denied: Cannot edit file: ${filePath}`)
         }
         await Bun.write(filePath, params.newString)
         await Bus.publish(File.Event.Edited, {
@@ -98,7 +110,10 @@ export const EditTool = Tool.define("edit", {
       diff = trimDiff(
         createTwoFilesPatch(filePath, filePath, normalizeLineEndings(contentOld), normalizeLineEndings(contentNew)),
       )
-      if (agent.permission.edit === "ask") {
+      // Secure default: only allow if explicitly set to "allow" or "ask"
+      if (agent.permission.edit === "allow") {
+        // Explicitly allowed, proceed
+      } else if (agent.permission.edit === "ask") {
         await Permission.ask({
           type: "edit",
           sessionID: ctx.sessionID,
@@ -110,6 +125,9 @@ export const EditTool = Tool.define("edit", {
             diff,
           },
         })
+      } else {
+        // Default deny for "deny", undefined, null, or any other value
+        throw new Error(`Permission denied: Cannot edit file: ${filePath}`)
       }
 
       await file.write(contentNew)

packages/opencode/src/tool/patch.ts

@@ -55,7 +55,10 @@ export const PatchTool = Tool.define("patch", {
 
       if (!Filesystem.contains(Instance.directory, filePath)) {
         const parentDir = path.dirname(filePath)
-        if (agent.permission.external_directory === "ask") {
+        // Secure default: only allow if explicitly set to "allow" or "ask"
+        if (agent.permission.external_directory === "allow") {
+          // Explicitly allowed, proceed
+        } else if (agent.permission.external_directory === "ask") {
           await Permission.ask({
             type: "external_directory",
             pattern: parentDir,
@@ -68,6 +71,9 @@ export const PatchTool = Tool.define("patch", {
               parentDir,
             },
           })
+        } else {
+          // Default deny for "deny", undefined, null, or any other value
+          throw new Error(`Permission denied: Cannot patch file outside working directory: ${filePath}`)
         }
       }
 
@@ -141,7 +147,10 @@ export const PatchTool = Tool.define("patch", {
     }
 
     // Check permissions if needed
-    if (agent.permission.edit === "ask") {
+    // Secure default: only allow if explicitly set to "allow" or "ask"
+    if (agent.permission.edit === "allow") {
+      // Explicitly allowed, proceed
+    } else if (agent.permission.edit === "ask") {
       await Permission.ask({
         type: "edit",
         sessionID: ctx.sessionID,
@@ -152,6 +161,9 @@ export const PatchTool = Tool.define("patch", {
           diff: totalDiff,
         },
       })
+    } else {
+      // Default deny for "deny", undefined, null, or any other value
+      throw new Error(`Permission denied: Cannot apply patch to ${fileChanges.length} files`)
     }
 
     // Apply the changes

packages/opencode/src/tool/read.ts

@@ -33,7 +33,10 @@ export const ReadTool = Tool.define("read", {
 
     if (!ctx.extra?.["bypassCwdCheck"] && !Filesystem.contains(Instance.directory, filepath)) {
       const parentDir = path.dirname(filepath)
-      if (agent.permission.external_directory === "ask") {
+      // Secure default: only allow if explicitly set to "allow" or "ask"
+      if (agent.permission.external_directory === "allow") {
+        // Explicitly allowed, proceed
+      } else if (agent.permission.external_directory === "ask") {
         await Permission.ask({
           type: "external_directory",
           pattern: parentDir,
@@ -46,6 +49,9 @@ export const ReadTool = Tool.define("read", {
             parentDir,
           },
         })
+      } else {
+        // Default deny for "deny", undefined, null, or any other value
+        throw new Error(`Permission denied: Cannot access file outside working directory: ${filepath}`)
       }
     }
 

packages/opencode/src/tool/write.ts

@@ -23,7 +23,10 @@ export const WriteTool = Tool.define("write", {
     const filepath = path.isAbsolute(params.filePath) ? params.filePath : path.join(Instance.directory, params.filePath)
     if (!Filesystem.contains(Instance.directory, filepath)) {
       const parentDir = path.dirname(filepath)
-      if (agent.permission.external_directory === "ask") {
+      // Secure default: only allow if explicitly set to "allow" or "ask"
+      if (agent.permission.external_directory === "allow") {
+        // Explicitly allowed, proceed
+      } else if (agent.permission.external_directory === "ask") {
         await Permission.ask({
           type: "external_directory",
           pattern: parentDir,
@@ -36,14 +39,20 @@ export const WriteTool = Tool.define("write", {
             parentDir,
           },
         })
+      } else {
+        // Default deny for "deny", undefined, null, or any other value
+        throw new Error(`Permission denied: Cannot write file outside working directory: ${filepath}`)
       }
     }
 
     const file = Bun.file(filepath)
     const exists = await file.exists()
     if (exists) await FileTime.assert(ctx.sessionID, filepath)
 
-    if (agent.permission.edit === "ask")
+    // Secure default: only allow if explicitly set to "allow" or "ask"
+    if (agent.permission.edit === "allow") {
+      // Explicitly allowed, proceed
+    } else if (agent.permission.edit === "ask") {
       await Permission.ask({
         type: "write",
         sessionID: ctx.sessionID,
@@ -56,6 +65,10 @@ export const WriteTool = Tool.define("write", {
           exists,
         },
       })
+    } else {
+      // Default deny for "deny", undefined, null, or any other value
+      throw new Error(`Permission denied: Cannot write file: ${filepath}`)
+    }
 
     await Bun.write(filepath, params.content)
     await Bus.publish(File.Event.Edited, {