fix(exec): match bare * wildcard in allowlist entries (#25082)

The matchAllowlist() function skipped patterns without path separators
(/, \, ~), causing a bare "*" wildcard entry to never reach the glob
matcher. Since glob's single * maps to [^/]*, it would also fail against
absolute paths. Handle bare "*" as a special case that matches any
resolved executable path.

Closes #25082

src/infra/exec-command-resolution.ts

@@ -223,7 +223,17 @@ export function matchAllowlist(
   entries: ExecAllowlistEntry[],
   resolution: CommandResolution | null,
 ): ExecAllowlistEntry | null {
-  if (!entries.length || !resolution?.resolvedPath) {
+  if (!entries.length) {
+    return null;
+  }
+  // A bare "*" wildcard allows any command regardless of resolution.
+  // Check it before the resolvedPath guard so that unresolvable commands
+  // (e.g. Windows executables without known extensions) still match.
+  const bareWild = entries.find((e) => e.pattern?.trim() === "*");
+  if (bareWild && resolution) {
+    return bareWild;
+  }
+  if (!resolution?.resolvedPath) {
     return null;
   }
   const resolvedPath = resolution.resolvedPath;
@@ -232,6 +242,12 @@ export function matchAllowlist(
     if (!pattern) {
       continue;
     }
+    // A bare "*" wildcard means "allow any executable". Match immediately
+    // without going through glob expansion (glob `*` maps to `[^/]*` which
+    // would fail on absolute paths containing slashes).
+    if (pattern === "*") {
+      return entry;
+    }
     const hasPath = pattern.includes("/") || pattern.includes("\\") || pattern.includes("~");
     if (!hasPath) {
       continue;