Minor operator experience issue, but the load_policies command doesn't check for existence / readability of the policy file causing some potentially confusing errors. It can read any file by design, since operators are able to override the default policy, but maybe we can tighten it up to one path or a few paths rather than give it a blank check to the filesystem. There doesn't seem to be any exfiltration path, and it requires being able to run the command or execute arbitrary Python to run anyway.
We should:
- Investigate allow-listing paths for reading the file from
- Follow the enforcement.py pattern of checking the file for existence and raising an explicit error if it's not there or better yet just use the Click file arg type for both
Minor operator experience issue, but the load_policies command doesn't check for existence / readability of the policy file causing some potentially confusing errors. It can read any file by design, since operators are able to override the default policy, but maybe we can tighten it up to one path or a few paths rather than give it a blank check to the filesystem. There doesn't seem to be any exfiltration path, and it requires being able to run the command or execute arbitrary Python to run anyway.
We should: