patch 9.2.0381: Vim9: Missing check_secure() in exec_instructions()

Problem: Vim9: Missing check_secure() when executing ISN_STOREENV instruction (Andrej Tomči) Solution: Add check_secure(), add test. closes: #19992 Signed-off-by: Christian Brabandt <cb@256bit.org>
2026-06-11 15:37:29 +02:00 · 2026-04-20 17:44:45 +00:00
parent b328686d6a
commit ec3f79e037
3 changed files with 48 additions and 1 deletions
@@ -220,4 +220,49 @@ func Test_restricted_cscope()
  call delete('XResult_cscope')
 endfunc

+func Test_vim9_storeenv_sandbox()
+  let lines =<< trim END
+    vim9script
+
+    function g:LegacySetEnv()
+      let $VIM_SANDBOX_TEST = 'legacy'
+    endfunc
+
+    def Vim9SetEnv()
+      $VIM_SANDBOX_TEST = 'vim9_bypass'
+    enddef
+
+    # Legacy path should be blocked by check_secure()
+    var legacy_blocked = false
+    try
+      legacy sandbox call LegacySetEnv()
+    catch /E48/
+      legacy_blocked = true
+    endtry
+    assert_true(legacy_blocked, 'legacy $ENV assignment should be blocked in sandbox')
+    assert_false(exists('$VIM_SANDBOX_TEST'))
+
+    # Vim9 path should also be blocked by check_secure()
+    var vim9_blocked = false
+    try
+      sandbox Vim9SetEnv()
+    catch /E48/
+      vim9_blocked = true
+    endtry
+    assert_true(vim9_blocked, 'Vim9 ISN_STOREENV should be blocked in sandbox')
+    assert_false(exists('$VIM_SANDBOX_TEST'))
+    writefile([
+    legacy_blocked,
+    vim9_blocked,
+    string(v:errors)], 'XResult_storeenv')
+    qa
+  END
+  call writefile(lines, 'Xtest_storeenv_sandbox.vim', 'D')
+  let expected = ['true', 'true', '[]']
+  if RunVim([], [], '-u NONE -N -i NONE --not-a-term -S Xtest_storeenv_sandbox.vim')
+    call assert_equal(expected, readfile('XResult_storeenv'))
+  endif
+  call delete('XResult_storeenv')
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
@@ -734,6 +734,8 @@ static char *(features[]) =

 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    381,
 /**/
    380,
 /**/
@@ -4472,7 +4472,7 @@ exec_instructions(ectx_T *ectx)

 	    // store $ENV
 	    case ISN_STOREENV:
-		if (check_restricted())
+		if (check_secure() || check_restricted())
 		    goto theend;
 		--ectx->ec_stack.ga_len;
 		tv = STACK_TV_BOT(0);