macos: require confirmation to run any script

2025-08-28 12:33:28 -07:00 · 2025-08-28 12:33:28 -07:00 · 04956f3dc1
parent f1ea30dcf1
commit 04956f3dc1
1 changed files with 34 additions and 5 deletions
--- a/macos/Sources/App/macOS/AppDelegate.swift
+++ b/macos/Sources/App/macOS/AppDelegate.swift
@ -398,6 +398,10 @@ class AppDelegate: NSObject,
        var isDirectory = ObjCBool(true)
        guard FileManager.default.fileExists(atPath: filename, isDirectory: &isDirectory) else { return false }
        
+        // Set to true if confirmation is required before starting up the
+        // new terminal.
+        var requiresConfirm: Bool = false
+        
        // Initialize the surface config which will be used to create the tab or window for the opened file.
        var config = Ghostty.SurfaceConfiguration()
        
@ -406,6 +410,13 @@ class AppDelegate: NSObject,
            // whether to open in a new tab or new window.
            config.workingDirectory = filename
        } else {
+            // Unconditionally require confirmation in the file execution case.
+            // In the future I have ideas about making this more fine-grained if
+            // we can not inherit of unsandboxed state. For now, we need to confirm
+            // because there is a sandbox escape possible if a sandboxed application
+            // somehow is tricked into `open`-ing a non-sandboxed application.
+            requiresConfirm = true
+            
            // When opening a file, we want to execute the file. To do this, we
            // don't override the command directly, because it won't load the
            // profile/rc files for the shell, which is super important on macOS
@ -423,6 +434,24 @@ class AppDelegate: NSObject,
            config.workingDirectory = (filename as NSString).deletingLastPathComponent
        }
        
+        if requiresConfirm {
+            // Confirmation required. We use an app-wide NSAlert for now. In the future we
+            // may want to show this as a sheet on the focused window (especially if we're
+            // opening a tab). I'm not sure.
+            let alert = NSAlert()
+            alert.messageText = "Allow Ghostty to execute \"\(filename)\"?"
+            alert.addButton(withTitle: "Allow")
+            alert.addButton(withTitle: "Cancel")
+            alert.alertStyle = .warning
+            switch (alert.runModal()) {
+            case .alertFirstButtonReturn:
+                break
+                
+            default:
+                return false
+            }
+        }
+        
        switch ghostty.config.macosDockDropBehavior {
        case .new_tab: _ = TerminalController.newTab(ghostty, withBaseConfig: config)
        case .new_window: _ = TerminalController.newWindow(ghostty, withBaseConfig: config)