security: improve rm detection and clarify UI labels

cocosheng-g · cocosheng-g · commit 11b6bcf3e094 · 2026-04-16T13:26:36.000-04:00
diff --git a/packages/cli/src/ui/components/messages/ToolConfirmationMessage.tsx b/packages/cli/src/ui/components/messages/ToolConfirmationMessage.tsx
@@ -352,14 +352,15 @@ export const ToolConfirmationMessage: React.FC<
         key: 'Allow once',
       });
       if (isTrustedFolder) {
+        const rootCommand = confirmationDetails.rootCommand || 'this command';
         options.push({
-          label: `Allow for this session`,
+          label: `Allow all '${rootCommand}' commands for this session`,
           value: ToolConfirmationOutcome.ProceedAlways,
           key: `Allow for this session`,
         });
         if (allowPermanentApproval) {
           options.push({
-            label: `Allow this command for all future sessions`,
+            label: `Allow all '${rootCommand}' commands for all future sessions`,
             value: ToolConfirmationOutcome.ProceedAlwaysAndSave,
             key: `Allow for all future sessions`,
           });
diff --git a/packages/cli/src/ui/components/messages/__snapshots__/ToolConfirmationMessage.test.tsx.snap b/packages/cli/src/ui/components/messages/__snapshots__/ToolConfirmationMessage.test.tsx.snap
@@ -96,8 +96,8 @@ exports[`ToolConfirmationMessage > height allocation and layout > should expand
 ╰──────────────────────────────────────────────────────────────────────────────╯
 Allow execution of [echo]?
 
-● 1. Allow once               
-  2. Allow for this session
+● 1. Allow once                                
+  2. Allow all 'echo' commands for this session
   3. No, suggest changes (esc)
 "
 `;
@@ -112,8 +112,8 @@ exports[`ToolConfirmationMessage > should display multiple commands for exec typ
 ╰──────────────────────────────────────────────────────────────────────────────╯
 Allow execution of [echo, ls, whoami]?
 
-● 1. Allow once               
-  2. Allow for this session
+● 1. Allow once                                
+  2. Allow all 'echo' commands for this session
   3. No, suggest changes (esc)
 "
 `;
@@ -150,8 +150,8 @@ exports[`ToolConfirmationMessage > should render multiline shell scripts with co
 ╰──────────────────────────────────────────────────────────────────────────────╯
 Allow execution of [echo]?
 
-● 1. Allow once               
-  2. Allow for this session
+● 1. Allow once                                
+  2. Allow all 'echo' commands for this session
   3. No, suggest changes (esc)"
 `;
 
@@ -213,8 +213,8 @@ exports[`ToolConfirmationMessage > with folder trust > 'for exec confirmations'
 ╰──────────────────────────────────────────────────────────────────────────────╯
 Allow execution of [echo]?
 
-● 1. Allow once               
-  2. Allow for this session
+● 1. Allow once                                
+  2. Allow all 'echo' commands for this session
   3. No, suggest changes (esc)
 "
 `;
diff --git a/packages/core/src/sandbox/utils/commandSafety.test.ts b/packages/core/src/sandbox/utils/commandSafety.test.ts
@@ -0,0 +1,82 @@
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import { describe, expect, it, vi } from 'vitest';
+
+// Mock shell-utils to avoid relying on tree-sitter WASM
+vi.mock('../../utils/shell-utils.js', () => ({
+  initializeShellParsers: vi.fn().mockResolvedValue(undefined),
+  splitCommands: (cmd: string) => [cmd],
+  stripShellWrapper: (cmd: string) => cmd,
+  extractStringFromParseEntry: (entry: any) =>
+    typeof entry === 'string' ? entry : entry.content,
+  normalizeCommand: (cmd: string) => {
+    // Simple mock normalization: /bin/rm -> rm
+    if (cmd.startsWith('/')) {
+      const parts = cmd.split('/');
+      return parts[parts.length - 1];
+    }
+    return cmd;
+  },
+}));
+
+import { isKnownSafeCommand, isDangerousCommand } from './commandSafety.js';
+
+describe('POSIX commandSafety', () => {
+  describe('isKnownSafeCommand', () => {
+    it('should identify known safe commands', () => {
+      expect(isKnownSafeCommand(['ls', '-la'])).toBe(true);
+      expect(isKnownSafeCommand(['cat', 'file.txt'])).toBe(true);
+      expect(isKnownSafeCommand(['pwd'])).toBe(true);
+      expect(isKnownSafeCommand(['echo', 'hello'])).toBe(true);
+    });
+
+    it('should identify safe git commands', () => {
+      expect(isKnownSafeCommand(['git', 'status'])).toBe(true);
+      expect(isKnownSafeCommand(['git', 'log'])).toBe(true);
+      expect(isKnownSafeCommand(['git', 'diff'])).toBe(true);
+    });
+
+    it('should reject unsafe git commands', () => {
+      expect(isKnownSafeCommand(['git', 'commit'])).toBe(false);
+      expect(isKnownSafeCommand(['git', 'push'])).toBe(false);
+      expect(isKnownSafeCommand(['git', 'checkout'])).toBe(false);
+    });
+
+    it('should reject commands with redirection', () => {
+      // isKnownSafeCommand handles bash -c "..." which can have redirections
+      // but the simple check for atomic commands doesn't see redirection because it's already parsed
+    });
+  });
+
+  describe('isDangerousCommand', () => {
+    it('should identify destructive rm commands', () => {
+      expect(isDangerousCommand(['rm'])).toBe(true);
+      expect(isDangerousCommand(['rm', 'file.txt'])).toBe(true);
+      expect(isDangerousCommand(['rm', '-rf', '/'])).toBe(true);
+      expect(isDangerousCommand(['rm', '-f', 'file'])).toBe(true);
+      expect(isDangerousCommand(['rm', '-r', 'dir'])).toBe(true);
+      expect(isDangerousCommand(['/bin/rm', 'file'])).toBe(true);
+    });
+
+    it('should flag rm help/version as dangerous (strict)', () => {
+      expect(isDangerousCommand(['rm', '--help'])).toBe(true);
+      expect(isDangerousCommand(['rm', '--version'])).toBe(true);
+    });
+
+    it('should identify sudo as dangerous if command is dangerous', () => {
+      expect(isDangerousCommand(['sudo', 'rm', 'file'])).toBe(true);
+    });
+
+    it('should identify find -exec as dangerous', () => {
+      expect(isDangerousCommand(['find', '.', '-exec', 'rm', '{}', '+'])).toBe(true);
+    });
+
+    it('should identify dangerous rg flags', () => {
+      expect(isDangerousCommand(['rg', '--hostname-bin', 'something'])).toBe(true);
+    });
+  });
+});
diff --git a/packages/core/src/sandbox/utils/commandSafety.ts b/packages/core/src/sandbox/utils/commandSafety.ts
@@ -9,6 +9,7 @@ import {
   initializeShellParsers,
   splitCommands,
   stripShellWrapper,
+  normalizeCommand,
 } from '../../utils/shell-utils.js';
 
 /**
@@ -428,10 +429,10 @@ export function isDangerousCommand(args: string[]): boolean {
     return false;
   }
 
-  const cmd = args[0];
+  const cmd = normalizeCommand(args[0]);
 
-  if (cmd === 'rm') {
-    return args[1] === '-f' || args[1] === '-rf' || args[1] === '-fr';
+  if (cmd === 'rm' || cmd === 'del' || cmd === 'erase') {
+    return true;
   }
 
   if (cmd === 'sudo') {
