runCommand -> removeQuarantine

Author: ethanndickson

Coder-Desktop/Coder-DesktopHelper/HelperXPCProtocol.swift

@@ -1,5 +1,5 @@
 import Foundation
 
 @objc protocol HelperXPCProtocol {
-    func runCommand(command: String, withReply reply: @escaping (Int32, String) -> Void)
+    func removeQuarantine(path: String, withReply reply: @escaping (Int32, String) -> Void)
 }

Coder-Desktop/Coder-DesktopHelper/main.swift

@@ -22,19 +22,25 @@ class HelperToolDelegate: NSObject, NSXPCListenerDelegate, HelperXPCProtocol {
         return true
     }
 
-    func runCommand(command: String, withReply reply: @escaping (Int32, String) -> Void) {
+    func removeQuarantine(path: String, withReply reply: @escaping (Int32, String) -> Void) {
+        guard isCoderDesktopDylib(at: path) else {
+            reply(1, "Path is not to a Coder Desktop dylib: \(path)")
+            return
+        }
+
         let task = Process()
         let pipe = Pipe()
 
         task.standardOutput = pipe
         task.standardError = pipe
-        task.arguments = ["-c", command]
+        task.arguments = ["-c", "xattr -d com.apple.quarantine '\(path)'"]
         task.executableURL = URL(fileURLWithPath: "/bin/bash")
 
         do {
             try task.run()
         } catch {
             reply(1, "Failed to start command: \(error)")
+            return
         }
 
         let data = pipe.fileHandleForReading.readDataToEndOfFile()
@@ -45,6 +51,20 @@ class HelperToolDelegate: NSObject, NSXPCListenerDelegate, HelperXPCProtocol {
     }
 }
 
+func isCoderDesktopDylib(at rawPath: String) -> Bool {
+    let url = URL(fileURLWithPath: rawPath)
+        .standardizedFileURL
+        .resolvingSymlinksInPath()
+
+    // *Must* be within the Coder Desktop System Extension sandbox
+    let requiredPrefix = ["/", "var", "root", "Library", "Containers",
+                          "com.coder.Coder-Desktop.VPN"]
+    guard url.pathComponents.starts(with: requiredPrefix) else { return false }
+    guard url.pathExtension.lowercased() == "dylib" else { return false }
+    guard FileManager.default.fileExists(atPath: url.path) else { return false }
+    return true
+}
+
 let delegate = HelperToolDelegate()
 let listener = NSXPCListener(machServiceName: "4399GN35BJ.com.coder.Coder-Desktop.Helper")
 listener.delegate = delegate

Coder-Desktop/VPN/HelperXPCSpeaker.swift

@@ -16,7 +16,7 @@ final class HelperXPCSpeaker: @unchecked Sendable {
                 continuation.resume(returning: false)
                 return
             }
-            proxy.runCommand(command: "xattr -d com.apple.quarantine \(path)") { status, output in
+            proxy.removeQuarantine(path: path) { status, output in
                 if status == 0 {
                     self.logger.info("Successfully removed quarantine for \(path)")
                     continuation.resume(returning: true)