feat(exrc): user must view and explicitly run ":trust" #35069

Problem: It's relatively easy to mispress key `a` to (a)llow arbitrary execution of 'exrc' files. #35050 Solution: - For exrc files (not directories), remove "allow" menu item. Require the user to "view" and then explicitly `:trust` the file.
2025-10-26 12:27:24 +00:00 · 2025-07-29 04:11:58 +08:00
parent cf9b36f3d9
commit dc67ba948e
4 changed files with 64 additions and 28 deletions
--- a/test/functional/lua/secure_spec.lua
+++ b/test/functional/lua/secure_spec.lua
@@ -55,7 +55,9 @@ describe('vim.secure', function()
      })

      local cwd = fn.getcwd()
-      local msg = cwd .. pathsep .. 'Xfile is not trusted.'
+      local msg = cwd
+        .. pathsep
+        .. 'Xfile is not trusted. To enable it, choose (v)iew then run `:trust`.'
      if #msg >= screen._width then
        pending('path too long')
        return
@@ -69,7 +71,7 @@ describe('vim.secure', function()
        {2:{MATCH: +}}|
        :lua vim.secure.read('Xfile'){MATCH: +}|
        {3:]] .. msg .. [[}{MATCH: +}|
-        {3:[i]gnore, (v)iew, (d)eny, (a)llow: }^{MATCH: +}|
+        {3:[i]gnore, (v)iew, (d)eny: }^{MATCH: +}|
      ]])
      feed('d')
      screen:expect([[
@@ -91,14 +93,21 @@ describe('vim.secure', function()
        {2:{MATCH: +}}|
        :lua vim.secure.read('Xfile'){MATCH: +}|
        {3:]] .. msg .. [[}{MATCH: +}|
-        {3:[i]gnore, (v)iew, (d)eny, (a)llow: }^{MATCH: +}|
+        {3:[i]gnore, (v)iew, (d)eny: }^{MATCH: +}|
      ]])
-      feed('a')
+      feed('v')
+      feed(':trust<CR>')
      screen:expect([[
-        ^{MATCH: +}|
-        {1:~{MATCH: +}}|*6
+        ^let g:foobar = 42{MATCH: +}|
+        {1:~{MATCH: +}}|*2
+        {2:]] .. fn.fnamemodify(cwd, ':~') .. pathsep .. [[Xfile [RO]{MATCH: +}}|
        {MATCH: +}|
+        {1:~{MATCH: +}}|
+        {4:[No Name]{MATCH: +}}|
+        Allowed "]] .. cwd .. pathsep .. [[Xfile" in trust database.{MATCH: +}|
      ]])
+      -- close the split for the next test below.
+      feed(':q<CR>')

      local hash = fn.sha256(assert(read_file('Xfile')))
      trust = assert(read_file(stdpath('state') .. pathsep .. 'trust'))
@@ -114,7 +123,7 @@ describe('vim.secure', function()
        {2:{MATCH: +}}|
        :lua vim.secure.read('Xfile'){MATCH: +}|
        {3:]] .. msg .. [[}{MATCH: +}|
-        {3:[i]gnore, (v)iew, (d)eny, (a)llow: }^{MATCH: +}|
+        {3:[i]gnore, (v)iew, (d)eny: }^{MATCH: +}|
      ]])
      feed('i')
      screen:expect([[
@@ -133,7 +142,7 @@ describe('vim.secure', function()
        {2:{MATCH: +}}|
        :lua vim.secure.read('Xfile'){MATCH: +}|
        {3:]] .. msg .. [[}{MATCH: +}|
-        {3:[i]gnore, (v)iew, (d)eny, (a)llow: }^{MATCH: +}|
+        {3:[i]gnore, (v)iew, (d)eny: }^{MATCH: +}|
      ]])
      feed('v')
      screen:expect([[