fix(aop): correct allowlist path matching for non-existing policy entries

[SedaOran]

Summary

• Bug 1 (allowlist silently dropped): variableToPath was called with allowNonExistingPathsToBeConsidered=false when resolving policy entries. For read-operations this caused any allowlist rule whose file did not yet exist on disk to be silently skipped, making the entire allowlist unreachable.
• Bug 2 (pathMatches wrong): pathMatches returned false (no match) whenever the allowed path from the policy did not exist, regardless of whether the candidate path matched lexically.
• Both bugs affected JavaInstrumentationAdviceFileSystemToolbox (Byte Buddy mode) and JavaAspectJFileSystemAdviceDefinitions (AspectJ mode).

Effect: Explicitly allowed resources were still blocked (SecurityException on allowlisted files), and wrong-target policy tests did not throw SecurityException because access to non-existing files bypassed the allowlist check entirely.

Related Issues

Fixes: Allowed Resource Access Fails (Issues #6, #7) and WrongTarget Policy Violation in AspectJ Modes (Issues #2, #3).

Test plan

• Define a policy allowing protected/allowed.txt for reads
• Run Files.readString(Path.of("protected/allowed.txt")) — should PASS
• Run Files.readString(Path.of("protected/other.txt")) — should throw SecurityException
• Run WrongTargetPolicyMatrixTest in ARCHUNIT+ASPECTJ and WALA+ASPECTJ Gradle modes — all wrongTarget_* assertions should pass

🤖 Generated with Claude Code

Summary by CodeRabbit

Bug Fixes

• File path whitelist entries are now correctly honored during permission checks, even when the referenced paths don't yet exist. Previously, non-existing allowed paths were skipped; they are now normalized to absolute paths and properly validated against candidate paths.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 59c4f604-f863-4f75-9a93-e13db09cfa83

📥 Commits

Reviewing files that changed from the base of the PR and between b44f7f6 and eedaa56.

📒 Files selected for processing (2)

• src/main/java/de/tum/cit/ase/ares/api/aop/java/aspectj/adviceandpointcut/JavaAspectJFileSystemAdviceDefinitions.aj
• src/main/java/de/tum/cit/ase/ares/api/aop/java/instrumentation/advice/JavaInstrumentationAdviceFileSystemToolbox.java

---

📝 Walkthrough

Walkthrough

This PR modifies filesystem security policy path matching to honor whitelist entries for non-existing paths. The changes ensure that policy-defined allowed paths are normalized and resolved upfront, then matched via absolute-form prefix checking, even when the referenced files don't exist yet.

Changes

Non-Existing Path Whitelist Honoring

Layer / File(s)	Summary
Whitelist Path Resolution in checkIfPathIsForbidden src/main/java/de/tum/cit/ase/ares/api/aop/java/aspectj/adviceandpointcut/JavaAspectJFileSystemAdviceDefinitions.aj, src/main/java/de/tum/cit/ase/ares/api/aop/java/instrumentation/advice/JavaInstrumentationAdviceFileSystemToolbox.java	Policy-entry allowed paths are now converted using variableToPath(..., true) to ensure non-existing whitelist entries are resolved and normalized before matching, preventing them from being skipped.
Path Matching with Non-Existing Allowed Paths src/main/java/de/tum/cit/ase/ares/api/aop/java/aspectj/adviceandpointcut/JavaAspectJFileSystemAdviceDefinitions.aj, src/main/java/de/tum/cit/ase/ares/api/aop/java/instrumentation/advice/JavaInstrumentationAdviceFileSystemToolbox.java	The pathMatches method updated to perform startsWith matching on the normalized absolute form of non-existing allowed paths rather than short-circuiting; inline documentation clarified to reflect this behavior across both implementations.

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested Reviewers

• MarkusPaulsen
• jerrycai0006
• petro-byte

Poem

🐰 A path that doesn't exist yet still finds its way,
Normalized and resolved, allowed to stay,
Prefix matching with absolute care,
Whitelist entries floating through air!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: fixing allowlist path matching for non-existing policy entries, which is exactly what the changeset addresses.
Description check	✅ Passed	The description covers all required template sections with clear explanations of the bugs, their effects, related issues, and a detailed test plan.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/allowlist-path-matching

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}