runCommand -> removeQuarantine

ethanndickson · ethanndickson · commit 05aa65f17300 · 2025-05-15T13:59:42.000+10:00
diff --git a/Coder-Desktop/Coder-DesktopHelper/HelperXPCProtocol.swift b/Coder-Desktop/Coder-DesktopHelper/HelperXPCProtocol.swift
@@ -1,5 +1,5 @@
 import Foundation
 
 @objc protocol HelperXPCProtocol {
-    func runCommand(command: String, withReply reply: @escaping (Int32, String) -> Void)
+    func removeQuarantine(path: String, withReply reply: @escaping (Int32, String) -> Void)
 }
diff --git a/Coder-Desktop/Coder-DesktopHelper/main.swift b/Coder-Desktop/Coder-DesktopHelper/main.swift
@@ -22,19 +22,25 @@ class HelperToolDelegate: NSObject, NSXPCListenerDelegate, HelperXPCProtocol {
         return true
     }
 
-    func runCommand(command: String, withReply reply: @escaping (Int32, String) -> Void) {
+    func removeQuarantine(path: String, withReply reply: @escaping (Int32, String) -> Void) {
+        guard isCoderDesktopDylib(at: path) else {
+            reply(1, "Path is not to a Coder Desktop dylib: \(path)")
+            return
+        }
+
         let task = Process()
         let pipe = Pipe()
 
         task.standardOutput = pipe
         task.standardError = pipe
-        task.arguments = ["-c", command]
+        task.arguments = ["-c", "xattr -d com.apple.quarantine '\(path)'"]
         task.executableURL = URL(fileURLWithPath: "/bin/bash")
 
         do {
             try task.run()
         } catch {
             reply(1, "Failed to start command: \(error)")
+            return
         }
 
         let data = pipe.fileHandleForReading.readDataToEndOfFile()
@@ -45,6 +51,20 @@ class HelperToolDelegate: NSObject, NSXPCListenerDelegate, HelperXPCProtocol {
     }
 }
 
+func isCoderDesktopDylib(at rawPath: String) -> Bool {
+    let url = URL(fileURLWithPath: rawPath)
+        .standardizedFileURL
+        .resolvingSymlinksInPath()
+
+    // *Must* be within the Coder Desktop System Extension sandbox
+    let requiredPrefix = ["/", "var", "root", "Library", "Containers",
+                          "com.coder.Coder-Desktop.VPN"]
+    guard url.pathComponents.starts(with: requiredPrefix) else { return false }
+    guard url.pathExtension.lowercased() == "dylib" else { return false }
+    guard FileManager.default.fileExists(atPath: url.path) else { return false }
+    return true
+}
+
 let delegate = HelperToolDelegate()
 let listener = NSXPCListener(machServiceName: "4399GN35BJ.com.coder.Coder-Desktop.Helper")
 listener.delegate = delegate
diff --git a/Coder-Desktop/VPN/HelperXPCSpeaker.swift b/Coder-Desktop/VPN/HelperXPCSpeaker.swift
@@ -16,7 +16,7 @@ final class HelperXPCSpeaker: @unchecked Sendable {
                 continuation.resume(returning: false)
                 return
             }
-            proxy.runCommand(command: "xattr -d com.apple.quarantine \(path)") { status, output in
+            proxy.removeQuarantine(path: path) { status, output in
                 if status == 0 {
                     self.logger.info("Successfully removed quarantine for \(path)")
                     continuation.resume(returning: true)

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`import Foundation`
`2`	`2`
`3`	`3`	`@objc protocol HelperXPCProtocol {`
`4`		`- func runCommand(command: String, withReply reply: @escaping (Int32, String) -> Void)`
	`4`	`+ func removeQuarantine(path: String, withReply reply: @escaping (Int32, String) -> Void)`
`5`	`5`	`}`
Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@ final class HelperXPCSpeaker: @unchecked Sendable {`
`16`	`16`	`continuation.resume(returning: false)`
`17`	`17`	`return`
`18`	`18`	`}`
`19`		`- proxy.runCommand(command: "xattr -d com.apple.quarantine \(path)") { status, output in`
	`19`	`+ proxy.removeQuarantine(path: path) { status, output in`
`20`	`20`	`if status == 0 {`
`21`	`21`	`self.logger.info("Successfully removed quarantine for \(path)")`
`22`	`22`	`continuation.resume(returning: true)`