Skip to content

Scope kosit:install --force deletion + lock down download host (config-safety) #2

Description

@jbagsik

Context

From the same moox/kosit-validator install security review. Two lower-severity config-safety issues: kosit:install --force recursively deletes a fully config-controlled path, and the download URLs are env()-overridable with no host allowlist. Sequenced after the RCE-hardening ticket because both edit the install command.

What to build

kosit:install is safe against a misconfigured base path and against being retargeted at an unexpected download host.

Acceptance criteria

  • --force deletion is scoped to the known validator/XRechnung subdirectories (or validates that the configured base path lives under the expected package storage root) — it never recursively deletes an arbitrary configured directory.
  • Download URLs are validated against an allowlist of expected hosts (the itplr-kosit GitHub org), or an override is clearly gated; combined with the integrity check from the hardening ticket, an arbitrary retarget cannot silently install/execute foreign artifacts.
  • Clear errors when the base path or a download host looks unexpected; no destructive action taken in that case.
  • Existing package tests stay green.

Blocked by

Metadata

Metadata

Assignees

No one assigned

    Labels

    ready-for-agentSpec is ready for an agent to implement

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions