Skip to content

security: improve dangerous command detection for rm #25545

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
cocosheng-g wants to merge 1 commit into
base: main
Choose a base branch
from
+102 −6
Open

security: improve dangerous command detection for rm #25545

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
91 changes: 91 additions & 0 deletions packages/core/src/sandbox/utils/commandSafety.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
/**
* @license
* Copyright 2026 Google LLC
* SPDX-License-Identifier: Apache-2.0
*/

import { describe, expect, it, vi } from 'vitest';

// Mock shell-utils to avoid relying on tree-sitter WASM
vi.mock('../../utils/shell-utils.js', () => ({
initializeShellParsers: vi.fn().mockResolvedValue(undefined),
splitCommands: (cmd: string) => [cmd],
stripShellWrapper: (cmd: string) => cmd,
extractStringFromParseEntry: (entry: unknown) => {
if (typeof entry === 'string') return entry;
if (entry && typeof entry === 'object' && 'content' in entry) {
return (entry as { content: string }).content;
}
return '';
},
normalizeCommand: (cmd: string) => {
// Simple mock normalization: /bin/rm -> rm
if (cmd.startsWith('/')) {
const parts = cmd.split('/');
return parts[parts.length - 1];
}
return cmd;
},
}));

import { isKnownSafeCommand, isDangerousCommand } from './commandSafety.js';

describe('POSIX commandSafety', () => {
describe('isKnownSafeCommand', () => {
it('should identify known safe commands', () => {
expect(isKnownSafeCommand(['ls', '-la'])).toBe(true);
expect(isKnownSafeCommand(['cat', 'file.txt'])).toBe(true);
expect(isKnownSafeCommand(['pwd'])).toBe(true);
expect(isKnownSafeCommand(['echo', 'hello'])).toBe(true);
});

it('should identify safe git commands', () => {
expect(isKnownSafeCommand(['git', 'status'])).toBe(true);
expect(isKnownSafeCommand(['git', 'log'])).toBe(true);
expect(isKnownSafeCommand(['git', 'diff'])).toBe(true);
});

it('should reject unsafe git commands', () => {
expect(isKnownSafeCommand(['git', 'commit'])).toBe(false);
expect(isKnownSafeCommand(['git', 'push'])).toBe(false);
expect(isKnownSafeCommand(['git', 'checkout'])).toBe(false);
});

it('should reject commands with redirection', () => {
// isKnownSafeCommand handles bash -c "..." which can have redirections
// but the simple check for atomic commands doesn't see redirection because it's already parsed
});
});

describe('isDangerousCommand', () => {
it('should identify destructive rm commands', () => {
expect(isDangerousCommand(['rm'])).toBe(true);
expect(isDangerousCommand(['rm', 'file.txt'])).toBe(true);
expect(isDangerousCommand(['rm', '-rf', '/'])).toBe(true);
expect(isDangerousCommand(['rm', '-f', 'file'])).toBe(true);
expect(isDangerousCommand(['rm', '-r', 'dir'])).toBe(true);
expect(isDangerousCommand(['/bin/rm', 'file'])).toBe(true);
});

it('should flag rm help/version as dangerous (strict)', () => {
expect(isDangerousCommand(['rm', '--help'])).toBe(true);
expect(isDangerousCommand(['rm', '--version'])).toBe(true);
});

it('should identify sudo as dangerous if command is dangerous', () => {
expect(isDangerousCommand(['sudo', 'rm', 'file'])).toBe(true);
});

it('should identify find -exec as dangerous', () => {
expect(isDangerousCommand(['find', '.', '-exec', 'rm', '{}', '+'])).toBe(
true,
);
});

it('should identify dangerous rg flags', () => {
expect(isDangerousCommand(['rg', '--hostname-bin', 'something'])).toBe(
true,
);
});
});
});
5 changes: 3 additions & 2 deletions packages/core/src/sandbox/utils/commandSafety.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import {
initializeShellParsers,
splitCommands,
stripShellWrapper,
normalizeCommand,
} from '../../utils/shell-utils.js';

/**
Expand Down Expand Up @@ -428,10 +429,10 @@ export function isDangerousCommand(args: string[]): boolean {
return false;
}

const cmd = args[0];
const cmd = normalizeCommand(args[0]);
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

The isDangerousCommand function is vulnerable to bypass when sudo is used with flags (e.g., sudo -u root rm). The recursive call isDangerousCommand(args.slice(1)) in the sudo block (lines 438-440) incorrectly processes the arguments, causing normalizeCommand to check a flag like -u instead of the actual dangerous command. This allows dangerous commands to be executed without detection, circumventing safety logic like YOLO mode overrides or user prompts.

References
  1. Correct identification of dangerous commands is essential for the system to apply safety policies, such as YOLO mode's 'ALLOW' decision or the default 'ASK_USER' prompt.


if (cmd === 'rm') {
return args[1] === '-f' || args[1] === '-rf' || args[1] === '-fr';
return true;
}

if (cmd === 'sudo') {
Expand Down
6 changes: 6 additions & 0 deletions packages/core/src/sandbox/windows/commandSafety.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,12 @@ describe('Windows commandSafety', () => {
expect(isDangerousCommand(['cmd', '/c', 'dir'])).toBe(true);
});

it('should identify path-qualified dangerous commands', () => {
expect(
isDangerousCommand(['C:\\Windows\\System32\\del.exe', 'file.txt']),
).toBe(true);
});

it('should strip .exe extension for dangerous commands', () => {
expect(isDangerousCommand(['del.exe', 'file.txt'])).toBe(true);
expect(isDangerousCommand(['POWERSHELL.EXE', '-Command', 'echo'])).toBe(
Expand Down
6 changes: 2 additions & 4 deletions packages/core/src/sandbox/windows/commandSafety.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import {
initializeShellParsers,
splitCommands,
stripShellWrapper,
normalizeCommand,
} from '../../utils/shell-utils.js';

/**
Expand Down Expand Up @@ -119,10 +120,7 @@ export function isKnownSafeCommand(args: string[]): boolean {
*/
export function isDangerousCommand(args: string[]): boolean {
if (!args || args.length === 0) return false;
let cmd = args[0].toLowerCase();
if (cmd.endsWith('.exe')) {
cmd = cmd.slice(0, -4);
}
const cmd = normalizeCommand(args[0]);
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

The isDangerousCommand function on Windows has multiple bypass vulnerabilities. Firstly, normalizeCommand does not account for trailing dots or other executable extensions (like .bat, .cmd). This allows an attacker to bypass dangerous command detection by appending a dot to a dangerous command name (e.g., powershell. resolves to powershell.exe). Secondly, the common PowerShell alias rm for Remove-Item is not explicitly flagged as dangerous, creating a security gap. Both issues allow dangerous commands to be executed without detection, preventing the system from correctly applying safety policies.

Suggested change
const cmd = normalizeCommand(args[0]);
const cmd = normalizeCommand(args[0]);
if (cmd === 'rm') return true;
References
  1. Correct identification of dangerous commands is essential for the system to apply safety policies, such as YOLO mode's 'ALLOW' decision or the default 'ASK_USER' prompt.


const dangerous = new Set([
'del',
Expand Down
Loading