Remove potential osascript hijacking attack (#2867)

Fixes https://linear.app/zed-industries/issue/Z-2818/security-vulnerability-dylib-injection Release Notes: - Fixed a potential local code-injection if a user installs the Zed CLI for the first time with a hijacked `osascript` in their path.
2025-02-04 18:15:21 +00:00 · 2023-08-18 18:00:39 -07:00 · 2023-08-18 18:00:39 -07:00 · 15f91f38f6
commit 15f91f38f6
parent ef9686c988 5a356a4710
2 changed files with 3 additions and 7 deletions
--- a/crates/install_cli/src/install_cli.rs
+++ b/crates/install_cli/src/install_cli.rs
@ -29,7 +29,7 @@ pub async fn install_cli(cx: &AsyncAppContext) -> Result<()> {

    // The symlink could not be created, so use osascript with admin privileges
    // to create it.
-    let status = smol::process::Command::new("osascript")
+    let status = smol::process::Command::new("/usr/bin/osascript")
        .args([
            "-e",
            &format!(
--- a/crates/zed/resources/zed.entitlements
+++ b/crates/zed/resources/zed.entitlements
@ -18,11 +18,7 @@
 	<true/>
 	<key>com.apple.security.personal-information.photos-library</key>
 	<true/>
-	<key>com.apple.security.cs.allow-dyld-environment-variables</key>
-	<true/>
-	<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
-	<true/>
-	<key>com.apple.security.cs.disable-library-validation</key>
-	<true/>
+	<!-- <key>com.apple.security.cs.disable-library-validation</key>
+	<true/> -->
 </dict>
 </plist>