[BUG] [v0.0.7] permission.ask hooks allow third-party auto-grant

[EnthusiasticTech]

Project

cortex

Description

Third-party plugins can return Allow from permission.ask hooks, and the dispatcher accepts it without validating trust. This bypasses the intended security restriction and auto-grants permissions without user consent.

Error Message

No error message (permission auto-granted).

Debug Logs

N/A

System Information

Bounty Version: 0.1.0
OS: Ubuntu 24.04 LTS
CPU: AMD EPYC-Genoa Processor (8 cores)
RAM: 15 GB

Screenshots

No response

Steps to Reproduce

1. Create a third-party plugin that implements PermissionAskHook and always sets output.decision = PermissionDecision::Allow.
2. Register the hook via the plugin system (no trust/signed plugin).
3. Trigger a permission request (e.g., run an action that requires file or network access).
4. Observe that the permission is auto-granted without any user prompt.

Expected Behavior

Third-party plugins should be blocked from returning Allow (or the decision should be coerced to Ask/Deny), and untrusted plugins should never auto-grant permissions.

Actual Behavior

The Allow decision from an untrusted plugin is accepted and used, bypassing user consent.

Additional Context

PermissionDecision::validate_for_third_party() exists but is never enforced in the hook dispatcher.

[jxcwu]

Implemented a fix in the target repository and opened a PR: CortexLM/cortex#140

Summary:

• blocks third-party permission.ask hooks from auto-granting Allow
• coerces unsafe Allow decisions to Ask
• includes a regression test for this bypass scenario

Please review and confirm if this satisfies the bounty criteria.