From fa957c06cf6b1dc86bc638e16dd8b4c3a2705637 Mon Sep 17 00:00:00 2001
From: flamiinngo <108100593+flamiinngo@users.noreply.github.com>
Date: Mon, 25 May 2026 01:44:53 +0100
Subject: [PATCH] fix(security): add missing credential paths to write denylist
 (#27217)

The write denylist already protects SSH keys, AWS, GPG, npm, PyPI,
Docker, Azure, and GitHub CLI credentials. Two common credential
stores were missing:

~/.git-credentials stores plaintext git tokens in the format
https://username:token@github.com when using git credential-store.
It is directly analogous to ~/.netrc which was already protected.

~/.config/gcloud/ contains Google Cloud OAuth tokens and service
account credentials. It is directly analogous to ~/.aws/ which
was already protected.

Under prompt injection, an agent could be instructed to overwrite
these files, destroying credentials or planting malicious ones.

Verified before and after with is_write_denied() on both paths.
---
 agent/file_safety.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/agent/file_safety.py b/agent/file_safety.py
index 502c3b254a8..64f52e2ecd2 100644
--- a/agent/file_safety.py
+++ b/agent/file_safety.py
@@ -50,6 +50,7 @@ def build_write_denied_paths(home: str) -> set[str]:
             os.path.join(home, ".pgpass"),
             os.path.join(home, ".npmrc"),
             os.path.join(home, ".pypirc"),
+            os.path.join(home, ".git-credentials"),
             "/etc/sudoers",
             "/etc/passwd",
             "/etc/shadow",
@@ -71,6 +72,7 @@ def build_write_denied_prefixes(home: str) -> list[str]:
             os.path.join(home, ".docker"),
             os.path.join(home, ".azure"),
             os.path.join(home, ".config", "gh"),
+            os.path.join(home, ".config", "gcloud"),
         ]
     ]