neovim

Neovim text editor
git clone https://git.dasho.dev/neovim.git
Log | Files | Refs | README
commit dc67ba948eec0a5628eff0b15ce87a7d27f58bb3
parent cf9b36f3d97b6f9c66ffff008bc1b5a5dd14ca98
Author: nyngwang <nyngwang@gmail.com>
Date:   Tue, 29 Jul 2025 04:11:58 +0800

feat(exrc): user must view and explicitly run ":trust" #35069

Problem:
It's relatively easy to mispress key `a` to (a)llow arbitrary execution
of 'exrc' files. #35050

Solution:
- For exrc files (not directories), remove "allow" menu item.
  Require the user to "view" and then explicitly `:trust` the file.
Diffstat:

Mruntime/doc/news.txt | 5++++-


Mruntime/lua/vim/secure.lua | 14++++++--------


Mtest/functional/core/startup_spec.lua | 48+++++++++++++++++++++++++++++++++++++-----------


Mtest/functional/lua/secure_spec.lua | 25+++++++++++++++++--------


4 files changed, 64 insertions(+), 28 deletions(-)

diff --git a/runtime/doc/news.txt b/runtime/doc/news.txt
@@ -63,7 +63,10 @@ DIAGNOSTICS
 
 EDITOR
 
-• todo
+• |vim.secure.read()| now removes the choice "(a)llow" from the prompt reply for
+  files unlisted in the user's trust database, and thus requires the user to
+  choose (v)iew then run `:trust`. Previously the user would be able to press
+  the single key 'a' to execute the arbitrary execution immediately.
 
 EVENTS
 
diff --git a/runtime/lua/vim/secure.lua b/runtime/lua/vim/secure.lua
@@ -121,18 +121,16 @@ function M.read(path)
     return contents
   end
 
-  local dir_msg = ''
+  local dir_msg = ' To enable it, choose (v)iew then run `:trust`.'
+  local choices = '&ignore\n&view\n&deny'
   if hash == 'directory' then
     dir_msg = ' DIRECTORY trust is decided only by its name, not its contents.'
+    choices = '&ignore\n&view\n&deny\n&allow'
   end
 
   -- File either does not exist in trust database or the hash does not match
-  local ok, result = pcall(
-    vim.fn.confirm,
-    string.format('%s is not trusted.%s', fullpath, dir_msg),
-    '&ignore\n&view\n&deny\n&allow',
-    1
-  )
+  local ok, result =
+    pcall(vim.fn.confirm, string.format('%s is not trusted.%s', fullpath, dir_msg), choices, 1)
 
   if not ok and result ~= 'Keyboard interrupt' then
     error(result)
@@ -147,7 +145,7 @@ function M.read(path)
     -- Deny
     trust[fullpath] = '!'
     contents = nil
-  elseif result == 4 then
+  elseif hash == 'directory' and result == 4 then
     -- Allow
     trust[fullpath] = hash
   end
diff --git a/test/functional/core/startup_spec.lua b/test/functional/core/startup_spec.lua
@@ -1200,9 +1200,11 @@ describe('user config init', function()
             VIMRUNTIME = os.getenv('VIMRUNTIME'),
           },
         })
-        screen:expect({ any = pesc('[i]gnore, (v)iew, (d)eny, (a)llow:') })
-        -- `i` to enter Terminal mode, `a` to allow
-        feed('ia')
+        screen:expect({ any = pesc('[i]gnore, (v)iew, (d)eny:') })
+        -- `i` to enter Terminal mode, `v` to view then `:trust`
+        feed('iv')
+        feed(':trust<CR>')
+        feed(':q<CR>')
         screen:expect([[
           ^                                                  |
           ~                                                 |*4
@@ -1219,8 +1221,8 @@ describe('user config init', function()
           %s%s|
           -- TERMINAL --                                    |
         ]],
-          filename,
-          string.rep(' ', 50 - #filename)
+          '---',
+          string.rep(' ', 50 - #'---')
         ))
 
         clear { args_rm = { '-u' }, env = xstateenv }
@@ -1239,7 +1241,8 @@ describe('user config init', function()
       setup_exrc_file('.nvim.lua')
       setup_exrc_file('../.exrc')
       clear { args_rm = { '-u' }, env = xstateenv }
-      local screen = Screen.new(50, 8)
+      -- use a screen wide width to avoid wrapping the word `.exrc`, `.nvim.lua` below.
+      local screen = Screen.new(500, 8)
       screen._default_attr_ids = nil
       fn.jobstart({ nvim_prog }, {
         term = true,
@@ -1249,13 +1252,36 @@ describe('user config init', function()
       })
       -- current directory exrc is found first
       screen:expect({ any = '.nvim.lua' })
-      screen:expect({ any = pesc('[i]gnore, (v)iew, (d)eny, (a)llow:'), unchanged = true })
-      feed('ia')
+      screen:expect({ any = pesc('[i]gnore, (v)iew, (d)eny:'), unchanged = true })
+      feed('iv')
 
       -- after that the exrc in the parent directory
-      screen:expect({ any = '.exrc' })
-      screen:expect({ any = pesc('[i]gnore, (v)iew, (d)eny, (a)llow:'), unchanged = true })
-      feed('a')
+      screen:expect({ any = '.exrc', unchanged = true })
+      screen:expect({ any = pesc('[i]gnore, (v)iew, (d)eny:'), unchanged = true })
+      feed('v')
+
+      -- trust .exrc
+      feed(':trust<CR>')
+      screen:expect({ any = 'Allowed ".*' .. pathsep .. '%.exrc" in trust database.' })
+      feed(':q<CR>')
+      -- trust .nvim.lua
+      feed(':trust<CR>')
+      screen:expect({ any = 'Allowed ".*' .. pathsep .. '%.nvim%.lua" in trust database.' })
+      feed(':q<CR>')
+      -- no exrc file is executed
+      feed(':echo g:exrc_count<CR>')
+      screen:expect({ any = 'E121: Undefined variable: g:exrc_count' })
+
+      -- restart nvim
+      feed(':restart<CR>')
+      screen:expect([[
+        ^{MATCH: +}|
+        ~{MATCH: +}|*4
+        [No Name]{MATCH: +}0,0-1{MATCH: +}All|
+        {MATCH: +}|
+        -- TERMINAL --{MATCH: +}|
+      ]])
+
       -- a total of 2 exrc files are executed
       feed(':echo g:exrc_count<CR>')
       screen:expect({ any = '2' })
diff --git a/test/functional/lua/secure_spec.lua b/test/functional/lua/secure_spec.lua
@@ -55,7 +55,9 @@ describe('vim.secure', function()
       })
 
       local cwd = fn.getcwd()
-      local msg = cwd .. pathsep .. 'Xfile is not trusted.'
+      local msg = cwd
+        .. pathsep
+        .. 'Xfile is not trusted. To enable it, choose (v)iew then run `:trust`.'
       if #msg >= screen._width then
         pending('path too long')
         return
@@ -69,7 +71,7 @@ describe('vim.secure', function()
         {2:{MATCH: +}}|
         :lua vim.secure.read('Xfile'){MATCH: +}|
         {3:]] .. msg .. [[}{MATCH: +}|
-        {3:[i]gnore, (v)iew, (d)eny, (a)llow: }^{MATCH: +}|
+        {3:[i]gnore, (v)iew, (d)eny: }^{MATCH: +}|
       ]])
       feed('d')
       screen:expect([[
@@ -91,14 +93,21 @@ describe('vim.secure', function()
         {2:{MATCH: +}}|
         :lua vim.secure.read('Xfile'){MATCH: +}|
         {3:]] .. msg .. [[}{MATCH: +}|
-        {3:[i]gnore, (v)iew, (d)eny, (a)llow: }^{MATCH: +}|
+        {3:[i]gnore, (v)iew, (d)eny: }^{MATCH: +}|
       ]])
-      feed('a')
+      feed('v')
+      feed(':trust<CR>')
       screen:expect([[
-        ^{MATCH: +}|
-        {1:~{MATCH: +}}|*6
+        ^let g:foobar = 42{MATCH: +}|
+        {1:~{MATCH: +}}|*2
+        {2:]] .. fn.fnamemodify(cwd, ':~') .. pathsep .. [[Xfile [RO]{MATCH: +}}|
         {MATCH: +}|
+        {1:~{MATCH: +}}|
+        {4:[No Name]{MATCH: +}}|
+        Allowed "]] .. cwd .. pathsep .. [[Xfile" in trust database.{MATCH: +}|
       ]])
+      -- close the split for the next test below.
+      feed(':q<CR>')
 
       local hash = fn.sha256(assert(read_file('Xfile')))
       trust = assert(read_file(stdpath('state') .. pathsep .. 'trust'))
@@ -114,7 +123,7 @@ describe('vim.secure', function()
         {2:{MATCH: +}}|
         :lua vim.secure.read('Xfile'){MATCH: +}|
         {3:]] .. msg .. [[}{MATCH: +}|
-        {3:[i]gnore, (v)iew, (d)eny, (a)llow: }^{MATCH: +}|
+        {3:[i]gnore, (v)iew, (d)eny: }^{MATCH: +}|
       ]])
       feed('i')
       screen:expect([[
@@ -133,7 +142,7 @@ describe('vim.secure', function()
         {2:{MATCH: +}}|
         :lua vim.secure.read('Xfile'){MATCH: +}|
         {3:]] .. msg .. [[}{MATCH: +}|
-        {3:[i]gnore, (v)iew, (d)eny, (a)llow: }^{MATCH: +}|
+        {3:[i]gnore, (v)iew, (d)eny: }^{MATCH: +}|
       ]])
       feed('v')
       screen:expect([[