fix(trust): hash unchanged empty buffers as empty files #39027

Problem: `vim.secure.trust()` hashes an unchanged empty buffer as a newline, so trusting an empty file by buffer never works. Solution: Hash unchanged empty-buffers `''` so buffer-based trust matches the on-disk empty file.
author: Barrett Ruth <62671086+barrettruth@users.noreply.github.com> 2026-04-23 15:01:37 -0400
committer: GitHub <noreply@github.com> 2026-04-23 15:01:37 -0400
commit: 0a8218a2b40fa8f6b533605db4377ff89250711c (patch)
tree: 179f421f89984739b70b5b903a96a19a47f159a4
parent: 398f2c108d8ee3ce7ac950b60520a9569b63da67 (diff)
3 files changed, 39 insertions, 5 deletions
diff --git a/runtime/lua/vim/secure.lua b/runtime/lua/vim/secure.lua
index 9f5463ac98..4a89139679 100644
--- a/runtime/lua/vim/secure.lua
+++ b/runtime/lua/vim/secure.lua
@@ -39,11 +39,18 @@ local function compute_hash(fullpath, bufnr)
   end
 
   if bufnr then
-    local newline = vim.bo[bufnr].fileformat == 'unix' and '\n' or '\r\n'
-    contents =
-      table.concat(vim.api.nvim_buf_get_lines(bufnr --[[@as integer]], 0, -1, false), newline)
-    if vim.bo[bufnr].endofline then
-      contents = contents .. newline
+    local is_unchanged_empty = vim.api.nvim_buf_call(bufnr, function()
+      return not vim.bo[bufnr].modified and vim.fn.line2byte(1) == -1
+    end)
+    if is_unchanged_empty then
+      contents = ''
+    else
+      local newline = vim.bo[bufnr].fileformat == 'unix' and '\n' or '\r\n'
+      contents =
+        table.concat(vim.api.nvim_buf_get_lines(bufnr --[[@as integer]], 0, -1, false), newline)
+      if vim.bo[bufnr].endofline then
+        contents = contents .. newline
+      end
     end
   else
     do
diff --git a/test/functional/ex_cmds/trust_spec.lua b/test/functional/ex_cmds/trust_spec.lua
index 5b6210bd3c..5e4c428356 100644
--- a/test/functional/ex_cmds/trust_spec.lua
+++ b/test/functional/ex_cmds/trust_spec.lua
@@ -13,15 +13,18 @@ local fn = n.fn
 describe(':trust', function()
   local xstate = 'Xstate_ex_trust'
   local test_file = 'Xtest_functional_ex_cmds_trust'
+  local empty_file = 'Xtest_functional_ex_cmds_trust_empty'
 
   before_each(function()
     n.mkdir_p(xstate .. pathsep .. (is_os('win') and 'nvim-data' or 'nvim'))
     t.write_file(test_file, 'test')
+    t.write_file(empty_file, '')
     clear { env = { XDG_STATE_HOME = xstate } }
   end)
 
   after_each(function()
     os.remove(test_file)
+    os.remove(empty_file)
     n.rmdir(xstate)
   end)
 
@@ -54,6 +57,16 @@ describe(':trust', function()
     eq(string.format(''), vim.trim(trust))
   end)
 
+  it('trust an empty file using current buffer', function()
+    local cwd = fn.getcwd()
+    local hash = fn.sha256(assert(t.read_file(empty_file)))
+
+    command('edit ' .. empty_file)
+    matches('^Allowed in trust database%: ".*' .. empty_file .. '"$', exec_capture('trust'))
+    local trust = t.read_file(fn.stdpath('state') .. pathsep .. 'trust')
+    eq(string.format('%s %s', hash, cwd .. pathsep .. empty_file), vim.trim(trust))
+  end)
+
   it('deny then trust then remove a file using current buffer', function()
     local cwd = fn.getcwd()
     local hash = fn.sha256(assert(t.read_file(test_file)))
diff --git a/test/functional/lua/secure_spec.lua b/test/functional/lua/secure_spec.lua
index c7cb1005fd..94df31bf27 100644
--- a/test/functional/lua/secure_spec.lua
+++ b/test/functional/lua/secure_spec.lua
@@ -274,6 +274,7 @@ describe('vim.secure', function()
   describe('trust()', function()
     local xstate = 'Xstate_lua_secure'
     local test_file = 'Xtest_functional_lua_secure'
+    local empty_file = 'Xtest_functional_lua_secure_empty'
     local test_dir = 'Xtest_functional_lua_secure_dir'
 
     setup(function()
@@ -283,11 +284,13 @@ describe('vim.secure', function()
     before_each(function()
       n.mkdir_p(xstate .. pathsep .. (is_os('win') and 'nvim-data' or 'nvim'))
       t.write_file(test_file, 'test')
+      t.write_file(empty_file, '')
       t.mkdir(test_dir)
     end)
 
     after_each(function()
       os.remove(test_file)
+      os.remove(empty_file)
       n.rmdir(test_dir)
       n.rmdir(xstate)
     end)
@@ -325,6 +328,17 @@ describe('vim.secure', function()
       eq('', vim.trim(trust))
     end)
 
+    it('trust an empty file using bufnr', function()
+      local cwd = fn.getcwd()
+      local hash = fn.sha256(assert(read_file(empty_file)))
+      local full_path = cwd .. pathsep .. empty_file
+
+      command('edit ' .. empty_file)
+      eq({ true, full_path }, exec_lua([[return {vim.secure.trust({action='allow', bufnr=0})}]]))
+      local trust = assert(read_file(stdpath('state') .. pathsep .. 'trust'))
+      eq(string.format('%s %s', hash, full_path), vim.trim(trust))
+    end)
+
     it('deny then trust then remove a file using bufnr', function()
       local cwd = fn.getcwd()
       local hash = fn.sha256(assert(read_file(test_file)))
author	Barrett Ruth <62671086+barrettruth@users.noreply.github.com>	2026-04-23 15:01:37 -0400
committer	GitHub <noreply@github.com>	2026-04-23 15:01:37 -0400
commit	0a8218a2b40fa8f6b533605db4377ff89250711c (patch)
tree	179f421f89984739b70b5b903a96a19a47f159a4
parent	398f2c108d8ee3ce7ac950b60520a9569b63da67 (diff)