fix(security): require confirmation for risky share/delegate/filter actions

Author: salmonumbrella

internal/cmd/drive.go

@@ -779,6 +779,11 @@ func (c *DriveShareCmd) Run(ctx context.Context, flags *RootFlags) error {
 	if role != drivePermRoleReader && role != drivePermRoleWriter {
 		return usage("invalid --role (expected reader|writer)")
 	}
+	if to == driveShareToAnyone {
+		if confirmErr := confirmDestructive(ctx, flags, fmt.Sprintf("share drive file %s with anyone (public)", fileID)); confirmErr != nil {
+			return confirmErr
+		}
+	}
 
 	svc, err := newDriveService(ctx, account)
 	if err != nil {

internal/cmd/drive_errors_test.go

@@ -62,4 +62,9 @@ func TestDriveDeleteUnshare_NoInput(t *testing.T) {
 	if err := runKong(t, unshareCmd, []string{"file1", "perm1"}, context.Background(), flags); err == nil || !strings.Contains(err.Error(), "refusing") {
 		t.Fatalf("expected refusing error, got %v", err)
 	}
+
+	shareCmd := &DriveShareCmd{}
+	if err := runKong(t, shareCmd, []string{"file1", "--to", "anyone"}, context.Background(), flags); err == nil || !strings.Contains(err.Error(), "refusing to share drive file file1 with anyone (public)") {
+		t.Fatalf("expected refusing error, got %v", err)
+	}
 }

internal/cmd/execute_drive_more_commands_test.go

@@ -147,11 +147,11 @@ func TestExecute_DriveMoreCommands_JSON(t *testing.T) {
 				t.Fatalf("move: %v", err)
 			}
 		})
-		_ = captureStdout(t, func() {
-			if err := Execute([]string{"--json", "--account", "a@b.com", "drive", "share", "id1", "--anyone", "--role", "reader"}); err != nil {
-				t.Fatalf("share: %v", err)
-			}
-		})
+			_ = captureStdout(t, func() {
+				if err := Execute([]string{"--json", "--force", "--account", "a@b.com", "drive", "share", "id1", "--anyone", "--role", "reader"}); err != nil {
+					t.Fatalf("share: %v", err)
+				}
+			})
 		_ = captureStdout(t, func() {
 			if err := Execute([]string{"--json", "--account", "a@b.com", "drive", "permissions", "id1"}); err != nil {
 				t.Fatalf("permissions: %v", err)
@@ -292,9 +292,9 @@ func TestExecute_DriveMoreCommands_Text(t *testing.T) {
 			if err := Execute([]string{"--account", "a@b.com", "drive", "move", "id1", "--parent", "np"}); err != nil {
 				t.Fatalf("move: %v", err)
 			}
-			if err := Execute([]string{"--account", "a@b.com", "drive", "share", "id1", "--anyone", "--role", "reader"}); err != nil {
-				t.Fatalf("share: %v", err)
-			}
+				if err := Execute([]string{"--force", "--account", "a@b.com", "drive", "share", "id1", "--anyone", "--role", "reader"}); err != nil {
+					t.Fatalf("share: %v", err)
+				}
 			if err := Execute([]string{"--account", "a@b.com", "drive", "permissions", "id1"}); err != nil {
 				t.Fatalf("permissions: %v", err)
 			}

internal/cmd/execute_gmail_settings_more_commands_test.go

@@ -216,11 +216,11 @@ func TestExecute_GmailSettingsMoreCommands_JSON(t *testing.T) {
 				t.Fatalf("delegates get: %v", err)
 			}
 		})
-		_ = captureStdout(t, func() {
-			if err := Execute([]string{"--json", "--account", "a@b.com", "gmail", "delegates", "add", "d@b.com"}); err != nil {
-				t.Fatalf("delegates add: %v", err)
-			}
-		})
+			_ = captureStdout(t, func() {
+				if err := Execute([]string{"--json", "--force", "--account", "a@b.com", "gmail", "delegates", "add", "d@b.com"}); err != nil {
+					t.Fatalf("delegates add: %v", err)
+				}
+			})
 		_ = captureStdout(t, func() {
 			if err := Execute([]string{"--json", "--force", "--account", "a@b.com", "gmail", "delegates", "remove", "d@b.com"}); err != nil {
 				t.Fatalf("delegates remove: %v", err)

internal/cmd/gmail_delegates.go

@@ -109,6 +109,9 @@ func (c *GmailDelegatesAddCmd) Run(ctx context.Context, flags *RootFlags) error
 	}); err != nil {
 		return err
 	}
+	if confirmErr := confirmDestructive(ctx, flags, fmt.Sprintf("add gmail delegate %s (grants mailbox read access)", delegateEmail)); confirmErr != nil {
+		return confirmErr
+	}
 
 	account, err := requireAccount(flags)
 	if err != nil {

internal/cmd/gmail_delegates_test.go

@@ -1,6 +1,10 @@
 package cmd
 
-import "testing"
+import (
+	"context"
+	"strings"
+	"testing"
+)
 
 func TestDelegatesCommandsExist(t *testing.T) {
 	// Unit tests for the actual API calls live in integration; here we just ensure
@@ -11,3 +15,12 @@ func TestDelegatesCommandsExist(t *testing.T) {
 	_ = GmailDelegatesAddCmd{}
 	_ = GmailDelegatesRemoveCmd{}
 }
+
+func TestGmailDelegatesAdd_NoInputRequiresForce(t *testing.T) {
+	flags := &RootFlags{Account: "a@b.com", NoInput: true}
+	cmd := &GmailDelegatesAddCmd{}
+	err := runKong(t, cmd, []string{"delegate@example.com"}, context.Background(), flags)
+	if err == nil || !strings.Contains(err.Error(), "refusing to add gmail delegate") {
+		t.Fatalf("expected refusing error, got %v", err)
+	}
+}

internal/cmd/gmail_filters.go

@@ -168,14 +168,15 @@ type GmailFiltersCreateCmd struct {
 
 func (c *GmailFiltersCreateCmd) Run(ctx context.Context, flags *RootFlags) error {
 	u := ui.FromContext(ctx)
+	forwardTarget := strings.TrimSpace(c.Forward)
 
 	// Validate that at least one criteria is specified
 	if c.From == "" && c.To == "" && c.Subject == "" && c.Query == "" && !c.HasAttachment {
 		return errors.New("must specify at least one criteria flag (--from, --to, --subject, --query, or --has-attachment)")
 	}
 
 	// Validate that at least one action is specified
-	if c.AddLabel == "" && c.RemoveLabel == "" && !c.Archive && !c.MarkRead && !c.Star && c.Forward == "" && !c.Trash && !c.NeverSpam && !c.Important {
+	if c.AddLabel == "" && c.RemoveLabel == "" && !c.Archive && !c.MarkRead && !c.Star && forwardTarget == "" && !c.Trash && !c.NeverSpam && !c.Important {
 		return errors.New("must specify at least one action flag (--add-label, --remove-label, --archive, --mark-read, --star, --forward, --trash, --never-spam, or --important)")
 	}
 
@@ -193,14 +194,19 @@ func (c *GmailFiltersCreateCmd) Run(ctx context.Context, flags *RootFlags) error
 			"archive":      c.Archive,
 			"mark_read":    c.MarkRead,
 			"star":         c.Star,
-			"forward":      strings.TrimSpace(c.Forward),
+			"forward":      forwardTarget,
 			"trash":        c.Trash,
 			"never_spam":   c.NeverSpam,
 			"important":    c.Important,
 		},
 	}); err != nil {
 		return err
 	}
+	if forwardTarget != "" {
+		if confirmErr := confirmDestructive(ctx, flags, fmt.Sprintf("create gmail filter forwarding to %s", forwardTarget)); confirmErr != nil {
+			return confirmErr
+		}
+	}
 
 	account, err := requireAccount(flags)
 	if err != nil {
@@ -278,8 +284,8 @@ func (c *GmailFiltersCreateCmd) Run(ctx context.Context, flags *RootFlags) error
 		action.AddLabelIds = append(action.AddLabelIds, "STARRED")
 	}
 
-	if c.Forward != "" {
-		action.Forward = c.Forward
+	if forwardTarget != "" {
+		action.Forward = forwardTarget
 	}
 
 	if c.Trash {

internal/cmd/gmail_filters_cmd_test.go

@@ -29,6 +29,15 @@ func TestGmailFiltersCreate_Validation(t *testing.T) {
 	}
 }
 
+func TestGmailFiltersCreate_Forward_NoInputRequiresForce(t *testing.T) {
+	flags := &RootFlags{Account: "a@b.com", NoInput: true}
+	cmd := &GmailFiltersCreateCmd{}
+	err := runKong(t, cmd, []string{"--from", "a@example.com", "--forward", "f@example.com"}, context.Background(), flags)
+	if err == nil || !strings.Contains(err.Error(), "refusing to create gmail filter forwarding") {
+		t.Fatalf("expected refusing error, got %v", err)
+	}
+}
+
 func TestGmailFilters_TextPaths(t *testing.T) {
 	origNew := newGmailService
 	t.Cleanup(func() { newGmailService = origNew })