Description
The hash_binary tool's allowed_read_roots on Windows only includes C:\ProgramData and C:\Windows\System32\winevt\Logs. It does not include C:\Windows\System32 itself.
When the hash-integrity task tries to hash system binaries (e.g., C:\Windows\System32\cmd.exe), the path is blocked by the sandbox, producing a false-positive high-severity finding about the tool failing rather than actual integrity concerns.
Reproduction
wraithrun --dry-run --task hash-integrity
# Finding: "hash_binary path blocked by sandbox policy"
Expected Behavior
C:\Windows\System32 (read-only) should be in the allowed read roots for hash_binary, since hashing system binaries is the core purpose of this tool on Windows.
Affected Files
cyber_tools/src/lib.rs (allowed_read_roots configuration)
Description
The
hash_binarytool'sallowed_read_rootson Windows only includesC:\ProgramDataandC:\Windows\System32\winevt\Logs. It does not includeC:\Windows\System32itself.When the
hash-integritytask tries to hash system binaries (e.g.,C:\Windows\System32\cmd.exe), the path is blocked by the sandbox, producing a false-positive high-severity finding about the tool failing rather than actual integrity concerns.Reproduction
wraithrun --dry-run --task hash-integrity # Finding: "hash_binary path blocked by sandbox policy"Expected Behavior
C:\Windows\System32(read-only) should be in the allowed read roots forhash_binary, since hashing system binaries is the core purpose of this tool on Windows.Affected Files
cyber_tools/src/lib.rs(allowed_read_rootsconfiguration)