P0: Update/Upgrade guardrails for system scope (admin/elevation required)#33
P0: Update/Upgrade guardrails for system scope (admin/elevation required)#33Kinin-Code-Offical merged 1 commit intomainfrom
Conversation
Reviewer's guide (collapsed on small PRs)Reviewer's GuideEnforces stricter elevation rules for system-scope upgrades by detecting admin status and install location, blocking unsafe paths, and only elevating when necessary during installer-based updates. Sequence diagram for upgraded elevation logic in upgrade commandsequenceDiagram
actor User
participant UpgradeCommand
participant InstallContext as detectInstallContext
participant AdminCheck as isAdmin
participant InstallerUpdate as applyUpdateInstaller
participant PortableUpdate as applyUpdatePortableExe
User->>UpgradeCommand: invoke upgrade(options)
alt asset option is auto
UpgradeCommand->>InstallContext: detectInstallContext()
InstallContext-->>UpgradeCommand: context
else asset option is explicit
UpgradeCommand-->>UpgradeCommand: context = options.asset
end
UpgradeCommand->>AdminCheck: isAdmin()
AdminCheck-->>UpgradeCommand: admin
UpgradeCommand-->>UpgradeCommand: systemScope = isSystemScopePath(process.execPath)
alt context is installer and not admin and options.elevate is false
UpgradeCommand-->>User: throw error System-scope update requires elevation
else context is installer or setup exe
UpgradeCommand-->>UpgradeCommand: shouldElevate = not admin and options.elevate not false
UpgradeCommand->>InstallerUpdate: applyUpdateInstaller(downloadPath, silent, shouldElevate)
InstallerUpdate-->>UpgradeCommand: update applied
else portable update path
alt systemScope and not admin
UpgradeCommand-->>User: throw error Portable updates require admin
else not systemScope or admin
UpgradeCommand->>PortableUpdate: applyUpdatePortableExe(downloadPath, targetExe)
PortableUpdate-->>UpgradeCommand: update applied
end
end
Flow diagram for system-scope upgrade elevation guardrailsflowchart TD
A["Start upgrade command"] --> B["Determine context (installer or portable)"]
B --> C["Call isAdmin"]
C --> D["Compute systemScope from process.execPath"]
D --> E{context is installer or setup exe?}
E -->|Yes| F{admin is false and options.elevate is false?}
F -->|Yes| G["Error: System-scope update requires elevation"]
F -->|No| H["shouldElevate = not admin and options.elevate not false"]
H --> I["applyUpdateInstaller(downloadPath, silent, shouldElevate)"]
I --> Z["End"]
E -->|No - portable| J{systemScope is true and admin is false?}
J -->|Yes| K["Error: Portable update to system-scope requires admin"]
J -->|No| L["applyUpdatePortableExe(downloadPath, targetExe)"]
K --> Z
L --> Z
File-Level Changes
Assessment against linked issues
Possibly linked issues
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hey - I've found 2 issues, and left some high level feedback:
- The
isSystemScopePathhelper currently relies on hard-coded substrings like\program filesand assumes Windows-style paths; consider guarding this logic with aprocess.platform === 'win32'check and/or usingprocess.env.ProgramFiles,ProgramFiles(x86), andProgramDatapluspath.resolve/startsWithto avoid false positives and platform issues. - Right now
systemScopeis derived fromprocess.execPathonly; if there are cases where the target of the update differs from the current executable, it may be safer to base the system-scope check on the actual install/update target path rather than the current process path.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The `isSystemScopePath` helper currently relies on hard-coded substrings like `\program files` and assumes Windows-style paths; consider guarding this logic with a `process.platform === 'win32'` check and/or using `process.env.ProgramFiles`, `ProgramFiles(x86)`, and `ProgramData` plus `path.resolve`/`startsWith` to avoid false positives and platform issues.
- Right now `systemScope` is derived from `process.execPath` only; if there are cases where the target of the update differs from the current executable, it may be safer to base the system-scope check on the actual install/update target path rather than the current process path.
## Individual Comments
### Comment 1
<location> `src/commands/upgrade.ts:99-100` </location>
<code_context>
+ const admin = await isAdmin();
+ const systemScope = isSystemScopePath(process.execPath);
+
+ if (context === 'installer' && !admin && options.elevate === false) {
+ throw new Error('System-scope update requires elevation. Re-run without --no-elevate or run as admin.');
+ }
</code_context>
<issue_to_address>
**issue (bug_risk):** Installer-elevation requirement is only enforced when `context === 'installer'`, not when an installer is inferred from the asset name.
The installer path is actually selected with `context === 'installer' || (asset.name.endsWith('.exe') && asset.name.includes('setup'))`, but this pre-check only covers `context === 'installer'`. If the filename implies an installer while `context !== 'installer'`, a non-admin using `--no-elevate` will still reach `applyUpdateInstaller` with `shouldElevate = false` and won’t see this explicit error. Consider basing this check on the same predicate as the installer branch (or re-checking inside that branch) so elevation behavior and messaging are consistent regardless of how installer context is derived.
</issue_to_address>
### Comment 2
<location> `src/commands/upgrade.ts:109-110` </location>
<code_context>
+ await applyUpdateInstaller(downloadPath, options.silent !== false, shouldElevate);
} else {
if (!options.json) logger.info('Applying portable update...');
+ if (systemScope && !admin) {
+ throw new Error('Portable updates to system-scope installs require admin. Use the installer or re-run as admin.');
+ }
// For portable, we need to know the target exe.
</code_context>
<issue_to_address>
**issue (bug_risk):** The portable system-scope check may block dev/node environments where `process.execPath` is under Program Files, changing previous behavior.
On Windows dev setups, `process.execPath` for Node is typically under `C:\Program Files\nodejs\node.exe`, so `systemScope && !admin` will be true and this branch will now throw before the later packaged-vs-plain-Node logic (which previously only warned about not updating `node.exe`). If you still want warn-only behavior in dev, consider adjusting this condition—e.g., skip the system-scope check when running under `node.exe`, or move it after the packaged-vs-node determination so dev scenarios continue to work.
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
| if (context === 'installer' && !admin && options.elevate === false) { | ||
| throw new Error('System-scope update requires elevation. Re-run without --no-elevate or run as admin.'); |
There was a problem hiding this comment.
issue (bug_risk): Installer-elevation requirement is only enforced when context === 'installer', not when an installer is inferred from the asset name.
The installer path is actually selected with context === 'installer' || (asset.name.endsWith('.exe') && asset.name.includes('setup')), but this pre-check only covers context === 'installer'. If the filename implies an installer while context !== 'installer', a non-admin using --no-elevate will still reach applyUpdateInstaller with shouldElevate = false and won’t see this explicit error. Consider basing this check on the same predicate as the installer branch (or re-checking inside that branch) so elevation behavior and messaging are consistent regardless of how installer context is derived.
| if (systemScope && !admin) { | ||
| throw new Error('Portable updates to system-scope installs require admin. Use the installer or re-run as admin.'); |
There was a problem hiding this comment.
issue (bug_risk): The portable system-scope check may block dev/node environments where process.execPath is under Program Files, changing previous behavior.
On Windows dev setups, process.execPath for Node is typically under C:\Program Files\nodejs\node.exe, so systemScope && !admin will be true and this branch will now throw before the later packaged-vs-plain-Node logic (which previously only warned about not updating node.exe). If you still want warn-only behavior in dev, consider adjusting this condition—e.g., skip the system-scope check when running under node.exe, or move it after the packaged-vs-node determination so dev scenarios continue to work.
There was a problem hiding this comment.
Pull request overview
This PR enhances security guardrails for system-scope installations by requiring elevation for installer updates and blocking portable updates to system directories unless running as admin. The changes prevent unauthorized modifications to system-scope installations while avoiding unnecessary elevation prompts when already elevated.
Key Changes:
- Added elevation requirement check for installer updates when
--no-elevateflag is used - Added system-scope path detection to block portable updates to protected directories
- Modified elevation logic to avoid redundant RunAs when already admin
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if (systemScope && !admin) { | ||
| throw new Error('Portable updates to system-scope installs require admin. Use the installer or re-run as admin.'); | ||
| } |
There was a problem hiding this comment.
The portable update guard for system-scope installs is security-critical but lacks test coverage. This condition prevents non-admin users from attempting portable updates to system directories. Consider adding tests to verify this protection works correctly for different combinations of systemScope paths and admin status.
| const systemScope = isSystemScopePath(process.execPath); | ||
|
|
||
| if (context === 'installer' && !admin && options.elevate === false) { | ||
| throw new Error('System-scope update requires elevation. Re-run without --no-elevate or run as admin.'); |
There was a problem hiding this comment.
The error message states "System-scope update requires elevation" but the condition only checks if context is 'installer' and not admin, without verifying that it's actually a system-scope installation. This could be misleading when an installer update is attempted from a user-scope installation. Consider checking systemScope variable in this condition as well, or update the error message to say "Installer update requires elevation" to be more accurate.
| throw new Error('System-scope update requires elevation. Re-run without --no-elevate or run as admin.'); | |
| throw new Error('Installer update requires elevation. Re-run without --no-elevate or run as admin.'); |
| throw new Error('System-scope update requires elevation. Re-run without --no-elevate or run as admin.'); | ||
| } | ||
|
|
||
| if (context === 'installer' || asset.name.endsWith('.exe') && asset.name.includes('setup')) { |
There was a problem hiding this comment.
This condition could be clearer with explicit parentheses to show the intended operator precedence. While JavaScript evaluates this as (context === 'installer') || (asset.name.endsWith('.exe') && asset.name.includes('setup')), adding parentheses would make the logic more explicit and easier to understand for future maintainers.
| if (context === 'installer' || asset.name.endsWith('.exe') && asset.name.includes('setup')) { | |
| if (context === 'installer' || (asset.name.endsWith('.exe') && asset.name.includes('setup'))) { |
| function isSystemScopePath(filePath: string): boolean { | ||
| const normalized = filePath.toLowerCase(); | ||
| return normalized.includes('\\program files') || normalized.includes('\\program files (x86)') || normalized.includes('\\programdata'); |
There was a problem hiding this comment.
The path checking logic uses Windows-specific path separators (backslashes) and is case-sensitive to lowercase normalization. This function assumes Windows paths but doesn't document this assumption. Consider adding a comment or JSDoc to clarify this function is Windows-specific, or handle the case where forward slashes might be present in normalized Windows paths.
| function isSystemScopePath(filePath: string): boolean { | |
| const normalized = filePath.toLowerCase(); | |
| return normalized.includes('\\program files') || normalized.includes('\\program files (x86)') || normalized.includes('\\programdata'); | |
| /** | |
| * Checks whether the given path points to a common Windows system-wide | |
| * installation directory. This is intentionally Windows-specific and | |
| * normalizes the path to Windows-style separators before comparison. | |
| */ | |
| function isSystemScopePath(filePath: string): boolean { | |
| const normalized = path | |
| .normalize(filePath) | |
| .toLowerCase() | |
| .replace(/\//g, '\\'); | |
| return ( | |
| normalized.includes('\\program files') || | |
| normalized.includes('\\program files (x86)') || | |
| normalized.includes('\\programdata') | |
| ); |
| if (context === 'installer' && !admin && options.elevate === false) { | ||
| throw new Error('System-scope update requires elevation. Re-run without --no-elevate or run as admin.'); | ||
| } |
There was a problem hiding this comment.
The new elevation guard logic is security-critical but lacks test coverage. The condition checks if context is 'installer', user is not admin, and elevation is explicitly disabled. Consider adding tests to verify this guard works correctly for different combinations of admin status, install context, and elevation options to prevent security bypass scenarios.
1 participant
Closes #16
Summary:
Tests:
Rollback:
Summary by Sourcery
Enforce elevation requirements when upgrading system-scope installs and prevent unsafe portable updates to system-wide installations.
New Features:
Bug Fixes: