Review ambient authority for directory access in glob.rs for improved security

[coderabbitai]

Security Improvement Suggestion

Review the use of ambient authority for directory access in glob.rs; if tighter sandboxing is possible (e.g. restricting to the manifest's directory), it would improve security and least-privilege adherence.

Context

Currently, the glob functionality in src/manifest/glob.rs may have broader directory access than necessary. Implementing tighter restrictions to limit access to only the manifest's directory would:

• Improve security posture by reducing attack surface
• Follow the principle of least privilege
• Provide better sandboxing for glob operations

Acceptance Criteria

• Review current directory access patterns in glob.rs
• Identify opportunities to restrict access to manifest directory only
• Implement sandboxing mechanisms if feasible
• Ensure no regression in legitimate glob functionality
• Update tests to verify security boundaries

References

• PR: Refactor manifest module into dedicated submodules #168
• Comment: Refactor manifest module into dedicated submodules #168 (comment)

Requested by: @leynos

[leynos]

@coderabbitai looking at the codebase, is this issue still relevant? If the issue has been fixed in the code, does the documentation reflect this?

If it is still relevant, please provide an assessment of the issue criticality (critical, high, medium or low), based on risk of the issue impacting the user and the anticipated blast radius.

Once a decision has been made, apply the appropriate label.

If the issue is documentation ONLY (i.e., no code changes needed), apply the documentation label in addition to the appropriate criticality label.

Please also provide an impact of the required changes.

[coderabbitai]

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Fetch the details of issue #173
gh issue view 173 --json title,body,labels,state

Length of output: 1239

---

🏁 Script executed:

#!/bin/bash
# Read the glob.rs file to understand current implementation
cat src/manifest/glob.rs

Length of output: 15277

---

🏁 Script executed:

#!/bin/bash
# Search for documentation about glob security or manifest directory restrictions
rg -n "ambient.*authority|glob.*security|manifest.*directory" --type md -C2

# Check for any security documentation
fd -e md -x grep -l "security\|Security" {} \;

Length of output: 565

---

🏁 Script executed:

#!/bin/bash
# Read the security documentation and design document sections
echo "=== Security Network Command Audit ==="
cat docs/security-network-command-audit.md

echo -e "\n=== Netsuke Design - Relevant Section ==="
rg -n -A10 -B10 "ambient authority" docs/netsuke-design.md

# Check the PR #168 discussion mentioned in the issue
echo -e "\n=== PR #168 Details ==="
gh pr view 168 --json title,body,state,comments | jq -r '.comments[] | select(.author.login == "leynos") | .body' | head -20

Length of output: 7742

---

🏁 Script executed:

#!/bin/bash
# Check how glob_paths is called to understand the context available
echo "=== Usage of glob_paths function ==="
rg -n "glob_paths" --type rust -C3

# Check for any workspace or manifest directory context that could be used
echo -e "\n=== Manifest directory or workspace context ==="
rg -n "manifest.*dir|workspace.*dir|WorkspaceDir|ManifestDir" --type rust -g '!target/**' | head -30

# Check if there's a StdlibConfig or similar that might need updating
echo -e "\n=== StdlibConfig structure ==="
rg -n "struct StdlibConfig" --type rust -A20

Length of output: 5877

---

@leynos, I've assessed issue #173, and it is still relevant. The code has not been fixed.

Current State

The glob_paths() function in src/manifest/glob.rs uses ambient authority to open directories with broad filesystem access:

fn open_root_dir(pattern: &GlobPattern) -> std::io::Result<Dir> {
    let candidate = normalized_or_raw(pattern);
    let path = Utf8Path::new(candidate);
    if path.is_absolute() {
        Dir::open_ambient_dir("/", ambient_authority())
    } else {
        Dir::open_ambient_dir(".", ambient_authority())
    }
}

This grants templates the ability to read arbitrary files on the filesystem, rather than being restricted to the manifest's workspace directory.

Documentation Status

The design document acknowledges this limitation but presents it as a trust requirement rather than a restriction to be implemented:

"Filters rely on cap-std directories opened with ambient authority for file-system work. Callers must ensure that templates granted access to the stdlib are trusted to read from the process' working tree."

This is not sufficient given that other security improvements (network fetch restrictions, command output limits) have been hardened with proper sandboxing, as documented in docs/security-network-command-audit.md.

Criticality Assessment: MEDIUM

Risk factors:

• Templates can read arbitrary files on the system, potentially exposing sensitive data
• Violates principle of least privilege
• Inconsistent with the security hardening applied to other stdlib components

Mitigating factors:

• Limited to file reading (not writing or execution)
• Requires untrusted template access to exploit
• Documentation warns about trust requirements
• Not a known active vulnerability

Blast radius: Medium - affects all glob operations in templates, but impact is contained to file system reads.

Required Changes

This is NOT documentation-only. Code changes are required:

1. Modify glob_paths() to accept a workspace root Dir parameter
2. Update open_root_dir() to use the provided workspace root instead of ambient authority
3. Update the call site in src/manifest/mod.rs to pass workspace context (similar to how StdlibConfig provides workspace_root)
4. Validate that glob patterns cannot escape the workspace directory
5. Update tests to verify security boundaries
6. Update documentation to reflect the new restriction

Impact: This is a breaking API change that affects the public interface of glob_paths() and requires threading workspace context through the manifest rendering pipeline.

---

🏁 Script executed:

#!/bin/bash
# Apply the medium criticality label
gh issue edit 173 --add-label "medium"

Length of output: 44

---

✅ Label applied successfully.

To summarise:

• Status: Issue is still relevant and unfixed
• Criticality: Medium (label applied)
• Type: Code changes required (not documentation-only)
• Impact: Breaking API change requiring workspace context to be threaded through the manifest rendering pipeline, similar to the security improvements already implemented for network and command helpers

The fix aligns with the project's established security hardening patterns, particularly the remediation work documented in security-network-command-audit.md for other stdlib components.