Skip to content

risk.rs: find is whitelisted Harmless, so 'find . -delete' classifies as read-only #2

Description

@JoshuaBearup

The segmented risk classifier (crates/norn/src/tool/risk.rs) closes the first-token evasions nicely, but the is_harmless whitelist (risk.rs:185-208) matches on first token only, and find is in it. Consequences at current HEAD:

  • find . -deleteHarmless ("read-only commands with no side effects") — a deletion command lands in the tier presumably exempt from approval gates.
  • find / -exec rm -rf {} +MediumRisk, but only by accident: split_shell_segments splits on {/}/;, so the \/+ residue becomes an unknown-command segment that defaults to MediumRisk. Nothing detects the indirected rm; the tier is tokeniser shrapnel, and it is still under-tiered for a recursive delete (bare rm is HighRisk).
  • The module doc (risk.rs:17-21) lists find -exec as falling "through to the MediumRisk default for unknown commands" — but find is not unknown, it is whitelisted Harmless, and find -delete is not covered by the residual-limits note at all. The documented floor is higher than the actual behaviour, which is the wrong direction for a security doc.

(Deliberately not raising the VISION config-extensibility point here — C34 is tracked and N-006 scoped this phase as hardcoded patterns; this issue is only about the active misclassification.)

Optional fix (take it or leave it): in classify_segment, check for mutating find flags before the harmless whitelist:

if first_token == "find"
    && segment.split_whitespace().any(|t| matches!(t, "-delete" | "-exec" | "-execdir" | "-ok" | "-okdir"))
{
    return BashRiskTier::HighRisk; // or classify the -exec'd command recursively
}

plus tests for find . -delete and find . -exec rm {} \;, and a doc-comment correction either way. The same first-token-trusts-flags pattern may be worth a glance for sed -i/awk (currently MediumRisk, which seems fine) — find is the only whitelisted-Harmless command that takes destructive flags.


Surfaced during a documentation/quality review of norn for the Meridian workspace; file:line verified against fd1c587. Optional fix only — entirely your call on approach.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions