81 lines
2.4 KiB
TypeScript
81 lines
2.4 KiB
TypeScript
/**
|
|
* Pattern lists for dangerous shell-tool allow-rule prefixes.
|
|
*
|
|
* An allow rule like `Bash(python:*)` or `PowerShell(node:*)` lets the model
|
|
* run arbitrary code via that interpreter, bypassing the auto-mode classifier.
|
|
* These lists feed the isDangerous{Bash,PowerShell}Permission predicates in
|
|
* permissionSetup.ts, which strip such rules at auto-mode entry.
|
|
*
|
|
* The matcher in each predicate handles the rule-shape variants (exact, `:*`,
|
|
* trailing `*`, ` *`, ` -…*`). PS-specific cmdlet strings live in
|
|
* isDangerousPowerShellPermission (permissionSetup.ts).
|
|
*/
|
|
|
|
/**
|
|
* Cross-platform code-execution entry points present on both Unix and Windows.
|
|
* Shared to prevent the two lists drifting apart on interpreter additions.
|
|
*/
|
|
export const CROSS_PLATFORM_CODE_EXEC = [
|
|
// Interpreters
|
|
'python',
|
|
'python3',
|
|
'python2',
|
|
'node',
|
|
'deno',
|
|
'tsx',
|
|
'ruby',
|
|
'perl',
|
|
'php',
|
|
'lua',
|
|
// Package runners
|
|
'npx',
|
|
'bunx',
|
|
'npm run',
|
|
'yarn run',
|
|
'pnpm run',
|
|
'bun run',
|
|
// Shells reachable from both (Git Bash / WSL on Windows, native on Unix)
|
|
'bash',
|
|
'sh',
|
|
// Remote arbitrary-command wrapper (native OpenSSH on Win10+)
|
|
'ssh',
|
|
] as const
|
|
|
|
export const DANGEROUS_BASH_PATTERNS: readonly string[] = [
|
|
...CROSS_PLATFORM_CODE_EXEC,
|
|
'zsh',
|
|
'fish',
|
|
'eval',
|
|
'exec',
|
|
'env',
|
|
'xargs',
|
|
'sudo',
|
|
// Anthropic internal: ant-only tools plus general tools that ant sandbox
|
|
// dotfile data shows are commonly over-allowlisted as broad prefixes.
|
|
// These stay ant-only — external users don't have coo, and the rest are
|
|
// an empirical-risk call grounded in ant sandbox data, not a universal
|
|
// "this tool is unsafe" judgment. PS may want these once it has usage data.
|
|
...(process.env.USER_TYPE === 'ant'
|
|
? [
|
|
'fa run',
|
|
// Cluster code launcher — arbitrary code on the cluster
|
|
'coo',
|
|
// Network/exfil: gh gist create --public, gh api arbitrary HTTP,
|
|
// curl/wget POST. gh api needs its own entry — the matcher is
|
|
// exact-shape, not prefix, so pattern 'gh' alone does not catch
|
|
// rule 'gh api:*' (same reason 'npm run' is separate from 'npm').
|
|
'gh',
|
|
'gh api',
|
|
'curl',
|
|
'wget',
|
|
// git config core.sshCommand / hooks install = arbitrary code
|
|
'git',
|
|
// Cloud resource writes (s3 public buckets, k8s mutations)
|
|
'kubectl',
|
|
'aws',
|
|
'gcloud',
|
|
'gsutil',
|
|
]
|
|
: []),
|
|
]
|