polymech/mono
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6e60dfc9fb
mono/packages/kbot/ref/utils/bash/ast.ts
Babayaga 91c6412491 map widget
2026-04-01 01:05:48 +02:00

2680 lines
109 KiB
TypeScript
Raw Blame History

/**
* AST-based bash command analysis using tree-sitter.
*
* This module replaces the shell-quote + hand-rolled char-walker approach in
* bashSecurity.ts / commands.ts. Instead of detecting parser differentials
* one-by-one, we parse with tree-sitter-bash and walk the tree with an
* EXPLICIT allowlist of node types. Any node type not in the allowlist causes
* the entire command to be classified as 'too-complex', which means it goes
* through the normal permission prompt flow.
*
* The key design property is FAIL-CLOSED: we never interpret structure we
* don't understand. If tree-sitter produces a node we haven't explicitly
* allowlisted, we refuse to extract argv and the caller must ask the user.
*
* This is NOT a sandbox. It does not prevent dangerous commands from running.
* It answers exactly one question: "Can we produce a trustworthy argv[] for
* each simple command in this string?" If yes, downstream code can match
* argv[0] against permission rules and flag allowlists. If no, ask the user.
*/
import { SHELL_KEYWORDS } from './bashParser.js'
import type { Node } from './parser.js'
import { PARSE_ABORTED, parseCommandRaw } from './parser.js'
export type Redirect = {
op: '>' | '>>' | '<' | '<<' | '>&' | '>|' | '<&' | '&>' | '&>>' | '<<<'
target: string
fd?: number
}
export type SimpleCommand = {
/** argv[0] is the command name, rest are arguments with quotes already resolved */
argv: string[]
/** Leading VAR=val assignments */
envVars: { name: string; value: string }[]
/** Output/input redirects */
redirects: Redirect[]
/** Original source span for this command (for UI display) */
text: string
}
export type ParseForSecurityResult =
| { kind: 'simple'; commands: SimpleCommand[] }
| { kind: 'too-complex'; reason: string; nodeType?: string }
| { kind: 'parse-unavailable' }
/**
* Structural node types that represent composition of commands. We recurse
* through these to find the leaf `command` nodes. `program` is the root;
* `list` is `a && b || c`; `pipeline` is `a | b`; `redirected_statement`
* wraps a command with its redirects. Semicolon-separated commands appear
* as direct siblings under `program` (no wrapper node).
*/
const STRUCTURAL_TYPES = new Set([
'program',
'list',
'pipeline',
'redirected_statement',
])
/**
* Operator tokens that separate commands. These are leaf nodes that appear
* between commands in `list`/`pipeline`/`program` and carry no payload.
*/
const SEPARATOR_TYPES = new Set(['&&', '||', '|', ';', '&', '|&', '\n'])
/**
* Placeholder string used in outer argv when a $() is recursively extracted.
* The actual $() output is runtime-determined; the inner command(s) are
* checked against permission rules separately. Using a placeholder keeps
* the outer argv clean (no multi-line heredoc bodies polluting path
* extraction or triggering newline checks).
*/
const CMDSUB_PLACEHOLDER = '__CMDSUB_OUTPUT__'
/**
* Placeholder for simple_expansion ($VAR) references to variables set earlier
* in the same command via variable_assignment. Since we tracked the assignment,
* we know the var exists and its value is either a static string or
* __CMDSUB_OUTPUT__ (if set via $()). Either way, safe to substitute.
*/
const VAR_PLACEHOLDER = '__TRACKED_VAR__'
/**
* All placeholder strings. Used for defense-in-depth: if a varScope value
* contains ANY placeholder (exact or embedded), the value is NOT a pure
* literal and cannot be trusted as a bare argument. Covers composites like
* `VAR="prefix$(cmd)"` → `"prefix__CMDSUB_OUTPUT__"` — the substring check
* catches these where exact-match Set.has() would miss.
*
* Also catches user-typed literals that collide with placeholder strings:
* `VAR=__TRACKED_VAR__ && rm $VAR` — treated as non-literal (conservative).
*/
function containsAnyPlaceholder(value: string): boolean {
return value.includes(CMDSUB_PLACEHOLDER) || value.includes(VAR_PLACEHOLDER)
}
/**
* Unquoted $VAR in bash undergoes word-splitting (on $IFS: space/tab/NL)
* and pathname expansion (glob matching on * ? [). Our argv stores a
* single string — but at runtime bash may produce MULTIPLE args, or paths
* matched by a glob. A value containing these metacharacters cannot be
* trusted as a bare arg: `VAR="-rf /" && rm $VAR` → bash runs `rm -rf /`
* (two args) but our argv would have `['rm', '-rf /']` (one arg). Similarly
* `VAR="/etc/*" && cat $VAR` → bash expands to all /etc files.
*
* Inside double-quotes ("$VAR"), neither splitting nor globbing applies —
* the value IS a single literal argument.
*/
const BARE_VAR_UNSAFE_RE = /[ \t\n*?[]/
// stdbuf flag forms — hoisted from the wrapper-stripping while-loop
const STDBUF_SHORT_SEP_RE = /^-[ioe]$/
const STDBUF_SHORT_FUSED_RE = /^-[ioe]./
const STDBUF_LONG_RE = /^--(input|output|error)=/
/**
* Known-safe environment variables that bash sets automatically. Their values
* are controlled by the shell/OS, not arbitrary user input. Referencing these
* via $VAR is safe — the expansion is deterministic and doesn't introduce
* injection risk. Covers `$HOME`, `$PWD`, `$USER`, `$PATH`, `$SHELL`, etc.
* Intentionally small: only vars that are always set by bash/login and whose
* values are paths/names (not arbitrary content).
*/
const SAFE_ENV_VARS = new Set([
'HOME', // user's home directory
'PWD', // current working directory (bash maintains)
'OLDPWD', // previous directory
'USER', // current username
'LOGNAME', // login name
'SHELL', // user's login shell
'PATH', // executable search path
'HOSTNAME', // machine hostname
'UID', // user id
'EUID', // effective user id
'PPID', // parent process id
'RANDOM', // random number (bash builtin)
'SECONDS', // seconds since shell start
'LINENO', // current line number
'TMPDIR', // temp directory
// Special bash variables — always set, values are shell-controlled:
'BASH_VERSION', // bash version string
'BASHPID', // current bash process id
'SHLVL', // shell nesting level
'HISTFILE', // history file path
'IFS', // field separator (NOTE: only safe INSIDE strings; as bare arg
// $IFS is the classic injection primitive and the insideString
// gate in resolveSimpleExpansion correctly blocks it)
])
/**
* Special shell variables ($?, $$, $!, $#, $0-$9). tree-sitter uses
* `special_variable_name` for these (not `variable_name`). Values are
* shell-controlled: exit status, PIDs, positional args. Safe to resolve
* ONLY inside strings (same rationale as SAFE_ENV_VARS — as bare args
* their value IS the argument and might be a path/flag from $1 etc.).
*
* SECURITY: '@' and '*' are NOT in this set. Inside "...", they expand to
* the positional params — which are EMPTY in a fresh BashTool shell (how we
* always spawn). Returning VAR_PLACEHOLDER would lie: `git "push$*"` gives
* argv ['git','push__TRACKED_VAR__'] while bash passes ['git','push']. Deny
* rule Bash(git push:*) fails on both .text (raw `$*`) AND rebuilt argv
* (placeholder). With them removed, resolveSimpleExpansion falls through to
* tooComplex for `$*` / `$@`. `echo "args: $*"` becomes too-complex —
* acceptable (rare in BashTool usage; `"$@"` even rarer).
*/
const SPECIAL_VAR_NAMES = new Set([
'?', // exit status of last command
'$', // current shell PID
'!', // last background PID
'#', // number of positional params
'0', // script name
'-', // shell option flags
])
/**
* Node types that mean "this command cannot be statically analyzed." These
* either execute arbitrary code (substitutions, subshells, control flow) or
* expand to values we can't determine statically (parameter/arithmetic
* expansion, brace expressions).
*
* This set is not exhaustive — it documents KNOWN dangerous types. The real
* safety property is the allowlist in walkArgument/walkCommand: any type NOT
* explicitly handled there also triggers too-complex.
*/
const DANGEROUS_TYPES = new Set([
'command_substitution',
'process_substitution',
'expansion',
'simple_expansion',
'brace_expression',
'subshell',
'compound_statement',
'for_statement',
'while_statement',
'until_statement',
'if_statement',
'case_statement',
'function_definition',
'test_command',
'ansi_c_string',
'translated_string',
'herestring_redirect',
'heredoc_redirect',
])
/**
* Numeric IDs for analytics (logEvent doesn't accept strings). Index into
* DANGEROUS_TYPES. Append new entries at the end to keep IDs stable.
* 0 = unknown/other, -1 = ERROR (parse failure), -2 = pre-check.
*/
const DANGEROUS_TYPE_IDS = [...DANGEROUS_TYPES]
export function nodeTypeId(nodeType: string | undefined): number {
if (!nodeType) return -2
if (nodeType === 'ERROR') return -1
const i = DANGEROUS_TYPE_IDS.indexOf(nodeType)
return i >= 0 ? i + 1 : 0
}
/**
* Redirect operator tokens → canonical operator. tree-sitter produces these
* as child nodes of `file_redirect`.
*/
const REDIRECT_OPS: Record<string, Redirect['op']> = {
'>': '>',
'>>': '>>',
'<': '<',
'>&': '>&',
'<&': '<&',
'>|': '>|',
'&>': '&>',
'&>>': '&>>',
'<<<': '<<<',
}
/**
* Brace expansion pattern: {a,b} or {a..b}. Must have , or .. inside
* braces. We deliberately do NOT try to determine whether the opening brace
* is backslash-escaped: tree-sitter doesn't unescape backslashes, so
* distinguishing `\{a,b}` (escaped, literal) from `\\{a,b}` (literal
* backslash + expansion) would require reimplementing bash quote removal.
* Reject both — the escaped-brace case is rare and trivially rewritten
* with single quotes.
*/
const BRACE_EXPANSION_RE = /\{[^{}\s]*(,|\.\.)[^{}\s]*\}/
/**
* Control characters that bash silently drops but confuse static analysis.
* Includes CR (0x0D): tree-sitter treats CR as a word separator but bash's
* default IFS does not include CR, so tree-sitter and bash disagree on
* word boundaries.
*/
// eslint-disable-next-line no-control-regex
const CONTROL_CHAR_RE = /[\x00-\x08\x0B-\x1F\x7F]/
/**
* Unicode whitespace beyond ASCII. These render invisibly (or as regular
* spaces) in terminals so a user reviewing the command can't see them, but
* bash treats them as literal word characters. Blocks NBSP, zero-width
* spaces, line/paragraph separators, BOM.
*/
const UNICODE_WHITESPACE_RE =
/[\u00A0\u1680\u2000-\u200B\u2028\u2029\u202F\u205F\u3000\uFEFF]/
/**
* Backslash immediately before whitespace. bash treats `\ ` as a literal
* space inside the current word, but tree-sitter returns the raw text with
* the backslash still present. argv[0] from tree-sitter is `cat\ test`
* while bash runs `cat test` (with a literal space). Rather than
* reimplement bash's unescaping rules, we reject these — they're rare in
* practice and trivial to rewrite with quotes.
*
* Also matches `\` before newline (line continuation) when adjacent to a
* non-whitespace char. `tr\<NL>aceroute` — bash joins to `traceroute`, but
* tree-sitter splits into two words (differential). When `\<NL>` is preceded
* by whitespace (e.g. `foo && \<NL>bar`), there's no word to join — both
* parsers agree, so we allow it.
*/
const BACKSLASH_WHITESPACE_RE = /\\[ \t]|[^ \t\n\\]\\\n/
/**
* Zsh dynamic named directory expansion: ~[name]. In zsh this invokes the
* zsh_directory_name hook, which can run arbitrary code. bash treats it as
* a literal tilde followed by a glob character class. Since BashTool runs
* via the user's default shell (often zsh), reject conservatively.
*/
const ZSH_TILDE_BRACKET_RE = /~\[/
/**
* Zsh EQUALS expansion: word-initial `=cmd` expands to the absolute path of
* `cmd` (equivalent to `$(which cmd)`). `=curl evil.com` runs as
* `/usr/bin/curl evil.com`. tree-sitter parses `=curl` as a literal word, so
* a `Bash(curl:*)` deny rule matching on base command name won't see `curl`.
* Only matches word-initial `=` followed by a command-name char — `VAR=val`
* and `--flag=val` have `=` mid-word and are not expanded by zsh.
*/
const ZSH_EQUALS_EXPANSION_RE = /(?:^|[\s;&|])=[a-zA-Z_]/
/**
* Brace character combined with quote characters. Constructions like
* `{a'}',b}` use quoted braces inside brace expansion context to obfuscate
* the expansion from regex-based detection. In bash, `{a'}',b}` expands to
* `a} b` (the quoted `}` becomes literal inside the first alternative).
* These are hard to analyze correctly and have no legitimate use in
* commands we'd want to auto-allow.
*
* This check runs on a version of the command with `{` masked out of
* single-quoted and double-quoted spans, so JSON payloads like
* `curl -d '{"k":"v"}'` don't trigger a false positive. Brace expansion
* cannot occur inside quotes, so a `{` there can never start an obfuscation
* pattern. The quote characters themselves stay visible so `{a'}',b}` and
* `{@'{'0},...}` still match via the outer unquoted `{`.
*/
const BRACE_WITH_QUOTE_RE = /\{[^}]*['"]/
/**
* Mask `{` characters that appear inside single- or double-quoted contexts.
* Uses a single-pass bash-aware quote-state scanner instead of a regex.
*
* A naive regex (`/'[^']*'/g`) mis-detects spans when a `'` appears inside
* a double-quoted string: for `echo "it's" {a'}',b}`, it matches from the
* `'` in `it's` across to the `'` in `{a'}`, masking the unquoted `{` and
* producing a false negative. The scanner tracks actual bash quote state:
* `'` toggles single-quote only in unquoted context; `"` toggles
* double-quote only outside single quotes; `\` escapes the next char in
* unquoted context and escapes `"` / `\\` inside double quotes.
*
* Brace expansion is impossible in both quote contexts, so masking `{` in
* either is safe. Secondary defense: BRACE_EXPANSION_RE in walkArgument.
*/
function maskBracesInQuotedContexts(cmd: string): string {
// Fast path: no `{` → nothing to mask. Skips the char-by-char scan for
// the >90% of commands with no braces (`ls -la`, `git status`, etc).
if (!cmd.includes('{')) return cmd
const out: string[] = []
let inSingle = false
let inDouble = false
let i = 0
while (i < cmd.length) {
const c = cmd[i]!
if (inSingle) {
// Bash single quotes: no escapes, `'` always terminates.
if (c === "'") inSingle = false
out.push(c === '{' ? ' ' : c)
i++
} else if (inDouble) {
// Bash double quotes: `\` escapes `"` and `\` (also `$`, backtick,
// newline — but those don't affect quote state so we let them pass).
if (c === '\\' && (cmd[i + 1] === '"' || cmd[i + 1] === '\\')) {
out.push(c, cmd[i + 1]!)
i += 2
} else {
if (c === '"') inDouble = false
out.push(c === '{' ? ' ' : c)
i++
}
} else {
// Unquoted: `\` escapes any next char.
if (c === '\\' && i + 1 < cmd.length) {
out.push(c, cmd[i + 1]!)
i += 2
} else {
if (c === "'") inSingle = true
else if (c === '"') inDouble = true
out.push(c)
i++
}
}
}
return out.join('')
}
const DOLLAR = String.fromCharCode(0x24)
/**
* Parse a bash command string and extract a flat list of simple commands.
* Returns 'too-complex' if the command uses any shell feature we can't
* statically analyze. Returns 'parse-unavailable' if tree-sitter WASM isn't
* loaded — caller should fall back to conservative behavior.
*/
export async function parseForSecurity(
cmd: string,
): Promise<ParseForSecurityResult> {
// parseCommandRaw('') returns null (falsy check), so short-circuit here.
// Don't use .trim() — it strips Unicode whitespace (\u00a0 etc.) which the
// pre-checks in parseForSecurityFromAst need to see and reject.
if (cmd === '') return { kind: 'simple', commands: [] }
const root = await parseCommandRaw(cmd)
return root === null
? { kind: 'parse-unavailable' }
: parseForSecurityFromAst(cmd, root)
}
/**
* Same as parseForSecurity but takes a pre-parsed AST root so callers that
* need the tree for other purposes can parse once and share. Pre-checks
* still run on `cmd` — they catch tree-sitter/bash differentials that a
* successful parse doesn't.
*/
export function parseForSecurityFromAst(
cmd: string,
root: Node | typeof PARSE_ABORTED,
): ParseForSecurityResult {
// Pre-checks: characters that cause tree-sitter and bash to disagree on
// word boundaries. These run before tree-sitter because they're the known
// tree-sitter/bash differentials. Everything after this point trusts
// tree-sitter's tokenization.
if (CONTROL_CHAR_RE.test(cmd)) {
return { kind: 'too-complex', reason: 'Contains control characters' }
}
if (UNICODE_WHITESPACE_RE.test(cmd)) {
return { kind: 'too-complex', reason: 'Contains Unicode whitespace' }
}
if (BACKSLASH_WHITESPACE_RE.test(cmd)) {
return {
kind: 'too-complex',
reason: 'Contains backslash-escaped whitespace',
}
}
if (ZSH_TILDE_BRACKET_RE.test(cmd)) {
return {
kind: 'too-complex',
reason: 'Contains zsh ~[ dynamic directory syntax',
}
}
if (ZSH_EQUALS_EXPANSION_RE.test(cmd)) {
return {
kind: 'too-complex',
reason: 'Contains zsh =cmd equals expansion',
}
}
if (BRACE_WITH_QUOTE_RE.test(maskBracesInQuotedContexts(cmd))) {
return {
kind: 'too-complex',
reason: 'Contains brace with quote character (expansion obfuscation)',
}
}
const trimmed = cmd.trim()
if (trimmed === '') {
return { kind: 'simple', commands: [] }
}
if (root === PARSE_ABORTED) {
// SECURITY: module loaded but parse aborted (timeout / node budget /
// panic). Adversarially triggerable — `(( a[0][0]... ))` with ~2800
// subscripts hits PARSE_TIMEOUT_MICROS under the 10K length limit.
// Previously indistinguishable from module-not-loaded → routed to
// legacy (parse-unavailable), which lacks EVAL_LIKE_BUILTINS — `trap`,
// `enable`, `hash` leaked with Bash(*). Fail closed: too-complex → ask.
return {
kind: 'too-complex',
reason:
'Parser aborted (timeout or resource limit) — possible adversarial input',
nodeType: 'PARSE_ABORT',
}
}
return walkProgram(root)
}
function walkProgram(root: Node): ParseForSecurityResult {
// ERROR-node check folded into collectCommands — any unhandled node type
// (including ERROR) falls through to tooComplex() in the default branch.
// Avoids a separate full-tree walk for error detection.
const commands: SimpleCommand[] = []
// Track variables assigned earlier in the same command. When a
// simple_expansion ($VAR) references a tracked var, we can substitute
// a placeholder instead of returning too-complex. Enables patterns like
// `NOW=$(date) && jq --arg now "$NOW" ...` — $NOW is known to be the
// $(date) output (already extracted as inner command).
const varScope = new Map<string, string>()
const err = collectCommands(root, commands, varScope)
if (err) return err
return { kind: 'simple', commands }
}
/**
* Recursively collect leaf `command` nodes from a structural wrapper node.
* Returns an error result on any disallowed node type, or null on success.
*/
function collectCommands(
node: Node,
commands: SimpleCommand[],
varScope: Map<string, string>,
): ParseForSecurityResult | null {
if (node.type === 'command') {
// Pass `commands` as the innerCommands accumulator — any $() extracted
// during walkCommand gets appended alongside the outer command.
const result = walkCommand(node, [], commands, varScope)
if (result.kind !== 'simple') return result
commands.push(...result.commands)
return null
}
if (node.type === 'redirected_statement') {
return walkRedirectedStatement(node, commands, varScope)
}
if (node.type === 'comment') {
return null
}
if (STRUCTURAL_TYPES.has(node.type)) {
// SECURITY: `||`, `|`, `|&`, `&` must NOT carry varScope linearly. In bash:
// `||` RHS runs conditionally → vars set there MAY not be set
// `|`/`|&` stages run in subshells → vars set there are NEVER visible after
// `&` LHS runs in a background subshell → same as above
// Flag-omission attack: `true || FLAG=--dry-run && cmd $FLAG` — bash skips
// the `||` RHS (FLAG unset → $FLAG empty), runs `cmd` WITHOUT --dry-run.
// With linear scope, our argv has ['cmd','--dry-run'] → looks SAFE → bypass.
//
// Fix: snapshot incoming scope at entry. After these separators, reset to
// the snapshot — vars set in clauses between separators don't leak. `scope`
// for clauses BETWEEN `&&`/`;` chains shares state (common `VAR=x && cmd
// $VAR`). `scope` crosses `||`/`|`/`&` as the pre-structure snapshot only.
//
// `&&` and `;` DO carry scope: `VAR=x && cmd $VAR` is sequential, VAR is set.
//
// NOTE: `scope` and `varScope` diverge after the first `||`/`|`/`&`. The
// caller's varScope is only mutated for the `&&`/`;` prefix — this is
// conservative (vars set in `A && B | C && D` leak A+B into caller, not
// C+D) but safe.
//
// Efficiency: snapshot is only needed if we hit `||`/`|`/`|&`/`&`. For
// the dominant case (`ls`, `git status` — no such separators), skip the
// Map alloc via a cheap pre-scan. For `pipeline`, node.type already tells
// us stages are subshells — copy once at entry, no snapshot needed (each
// reset uses the entry copy pattern via varScope, which is untouched).
const isPipeline = node.type === 'pipeline'
let needsSnapshot = false
if (!isPipeline) {
for (const c of node.children) {
if (c && (c.type === '||' || c.type === '&')) {
needsSnapshot = true
break
}
}
}
const snapshot = needsSnapshot ? new Map(varScope) : null
// For `pipeline`, ALL stages run in subshells — start with a copy so
// nothing mutates caller's scope. For `list`/`program`, the `&&`/`;`
// chain mutates caller's scope (sequential); fork only on `||`/`&`.
let scope = isPipeline ? new Map(varScope) : varScope
for (const child of node.children) {
if (!child) continue
if (SEPARATOR_TYPES.has(child.type)) {
if (
child.type === '||' ||
child.type === '|' ||
child.type === '|&' ||
child.type === '&'
) {
// For pipeline: varScope is untouched (we started with a copy).
// For list/program: snapshot is non-null (pre-scan set it).
// `|`/`|&` only appear under `pipeline` nodes; `||`/`&` under list.
scope = new Map(snapshot ?? varScope)
}
continue
}
const err = collectCommands(child, commands, scope)
if (err) return err
}
return null
}
if (node.type === 'negated_command') {
// `! cmd` inverts exit code only — doesn't execute code or affect
// argv. Recurse into the wrapped command. Common in CI: `! grep err`,
// `! test -f lock`, `! git diff --quiet`.
for (const child of node.children) {
if (!child) continue
if (child.type === '!') continue
return collectCommands(child, commands, varScope)
}
return null
}
if (node.type === 'declaration_command') {
// `export`/`local`/`readonly`/`declare`/`typeset`. tree-sitter emits
// these as declaration_command, not command, so they previously fell
// through to tooComplex. Values are validated via walkVariableAssignment:
// `$()` in the value is recursively extracted (inner command pushed to
// commands[], outer argv gets CMDSUB_PLACEHOLDER); other disallowed
// expansions still reject via walkArgument. argv[0] is the builtin name so
// `Bash(export:*)` rules match.
const argv: string[] = []
for (const child of node.children) {
if (!child) continue
switch (child.type) {
case 'export':
case 'local':
case 'readonly':
case 'declare':
case 'typeset':
argv.push(child.text)
break
case 'word':
case 'number':
case 'raw_string':
case 'string':
case 'concatenation': {
// Flags (`declare -r`), quoted names (`export "FOO=bar"`), numbers
// (`declare -i 42`). Mirrors walkCommand's argv handling — before
// this, `export "FOO=bar"` hit tooComplex on the `string` child.
// walkArgument validates each (expansions still reject).
const arg = walkArgument(child, commands, varScope)
if (typeof arg !== 'string') return arg
// SECURITY: declare/typeset/local flags that change assignment
// semantics break our static model. -n (nameref): `declare -n X=Y`
// then `$X` dereferences to $Y's VALUE — varScope stores 'Y'
// (target NAME), argv[0] shows 'Y' while bash runs whatever $Y
// holds. -i (integer): `declare -i X='a[$(cmd)]'` arithmetically
// evaluates the RHS at assignment time, running $(cmd) even from
// a single-quoted raw_string (same primitive walkArithmetic
// guards in $((…))). -a/-A (array): subscript arithmetic on
// assignment. -r/-x/-g/-p/-f/-F are inert. Check the resolved
// arg (not child.text) so `\-n` and quoted `-n` are caught.
// Scope to declare/typeset/local only: `export -n` means "remove
// export attribute" (not nameref), and export/readonly don't
// accept -i; readonly -a/-A rejects subscripted args as invalid
// identifiers so subscript-arith doesn't fire.
if (
(argv[0] === 'declare' ||
argv[0] === 'typeset' ||
argv[0] === 'local') &&
/^-[a-zA-Z]*[niaA]/.test(arg)
) {
return {
kind: 'too-complex',
reason: `declare flag ${arg} changes assignment semantics (nameref/integer/array)`,
nodeType: 'declaration_command',
}
}
// SECURITY: bare positional assignment with a subscript also
// evaluates — no -a/-i flag needed. `declare 'x[$(id)]=val'`
// implicitly creates an array element, arithmetically evaluating
// the subscript and running $(id). tree-sitter delivers the
// single-quoted form as a raw_string leaf so walkArgument sees
// only the literal text. Scoped to declare/typeset/local:
// export/readonly reject `[` in identifiers before eval.
if (
(argv[0] === 'declare' ||
argv[0] === 'typeset' ||
argv[0] === 'local') &&
arg[0] !== '-' &&
/^[^=]*\[/.test(arg)
) {
return {
kind: 'too-complex',
reason: `declare positional '${arg}' contains array subscript — bash evaluates $(cmd) in subscripts`,
nodeType: 'declaration_command',
}
}
argv.push(arg)
break
}
case 'variable_assignment': {
const ev = walkVariableAssignment(child, commands, varScope)
if ('kind' in ev) return ev
// export/declare assignments populate the scope so later $VAR refs resolve.
applyVarToScope(varScope, ev)
argv.push(`${ev.name}=${ev.value}`)
break
}
case 'variable_name':
// `export FOO` — bare name, no assignment.
argv.push(child.text)
break
default:
return tooComplex(child)
}
}
commands.push({ argv, envVars: [], redirects: [], text: node.text })
return null
}
if (node.type === 'variable_assignment') {
// Bare `VAR=value` at statement level (not a command env prefix).
// Sets a shell variable — no code execution, no filesystem I/O.
// The value is validated via walkVariableAssignment → walkArgument,
// so `VAR=$(evil)` still recursively extracts/rejects based on the
// inner command. Does NOT push to commands — a bare assignment needs
// no permission rule (it's inert). Common pattern: `VAR=x && cmd`
// where cmd references $VAR. ~35% of too-complex in top-5k ant cmds.
const ev = walkVariableAssignment(node, commands, varScope)
if ('kind' in ev) return ev
// Populate scope so later `$VAR` references resolve.
applyVarToScope(varScope, ev)
return null
}
if (node.type === 'for_statement') {
// `for VAR in WORD...; do BODY; done` — iterate BODY once per word.
// Body commands extracted once; every iteration runs the same commands.
//
// SECURITY: Loop var is ALWAYS treated as unknown-value (VAR_PLACEHOLDER).
// Even "static" iteration words can be:
// - Absolute paths: `for i in /etc/passwd; do rm $i; done` — body argv
// would have placeholder, path validation never sees /etc/passwd.
// - Globs: `for i in /etc/*; do rm $i; done` — `/etc/*` is a static word
// at parse time but bash expands it at runtime.
// - Flags: `for i in -rf /; do rm $i; done` — flag smuggling.
//
// VAR_PLACEHOLDER means bare `$i` in body → too-complex. Only
// string-embedding (`echo "item: $i"`) stays simple. This reverts some
// of the too-complex→simple rescues in the original PR — each one was a
// potential path-validation bypass.
let loopVar: string | null = null
let doGroup: Node | null = null
for (const child of node.children) {
if (!child) continue
if (child.type === 'variable_name') {
loopVar = child.text
} else if (child.type === 'do_group') {
doGroup = child
} else if (
child.type === 'for' ||
child.type === 'in' ||
child.type === 'select' ||
child.type === ';'
) {
continue // structural tokens
} else if (child.type === 'command_substitution') {
// `for i in $(seq 1 3)` — inner cmd IS extracted and rule-checked.
const err = collectCommandSubstitution(child, commands, varScope)
if (err) return err
} else {
// Iteration values — validated via walkArgument. Value discarded:
// body argv gets VAR_PLACEHOLDER regardless of the iteration words,
// and bare `$i` in body → too-complex (see SECURITY comment above).
// We still validate to reject e.g. `for i in $(cmd); do ...; done`
// where the iteration word itself is a disallowed expansion.
const arg = walkArgument(child, commands, varScope)
if (typeof arg !== 'string') return arg
}
}
if (loopVar === null || doGroup === null) return tooComplex(node)
// SECURITY: `for PS4 in '$(id)'; do set -x; :; done` sets PS4 directly
// via varScope.set below — walkVariableAssignment's PS4/IFS checks never
// fire. Trace-time RCE (PS4) or word-split bypass (IFS). No legit use.
if (loopVar === 'PS4' || loopVar === 'IFS') {
return {
kind: 'too-complex',
reason: `${loopVar} as loop variable bypasses assignment validation`,
nodeType: 'for_statement',
}
}
// SECURITY: Body uses a scope COPY — vars assigned inside the loop
// body don't leak to commands after `done`. The loop var itself is
// set in the REAL scope (bash semantics: $i still set after loop)
// and copied into the body scope. ALWAYS VAR_PLACEHOLDER — see above.
varScope.set(loopVar, VAR_PLACEHOLDER)
const bodyScope = new Map(varScope)
for (const c of doGroup.children) {
if (!c) continue
if (c.type === 'do' || c.type === 'done' || c.type === ';') continue
const err = collectCommands(c, commands, bodyScope)
if (err) return err
}
return null
}
if (node.type === 'if_statement' || node.type === 'while_statement') {
// `if COND; then BODY; [elif...; else...;] fi`
// `while COND; do BODY; done`
// Extract condition command(s) + all branch/body commands. All get
// checked against permission rules. `while read VAR` tracks VAR so
// body can reference $VAR.
//
// SECURITY: Branch bodies use scope COPIES — vars assigned inside a
// conditional branch (which may not execute) must not leak to commands
// after fi/done. `if false; then T=safe; fi && rm $T` must reject $T.
// Condition commands use the REAL varScope (they always run for the
// check, so assignments there are unconditional — e.g., `while read V`
// tracking must persist to the body copy).
//
// tree-sitter if_statement children: if, COND..., then, THEN-BODY...,
// [elif_clause...], [else_clause], fi. We distinguish condition from
// then-body by tracking whether we've seen the `then` token.
let seenThen = false
for (const child of node.children) {
if (!child) continue
if (
child.type === 'if' ||
child.type === 'fi' ||
child.type === 'else' ||
child.type === 'elif' ||
child.type === 'while' ||
child.type === 'until' ||
child.type === ';'
) {
continue
}
if (child.type === 'then') {
seenThen = true
continue
}
if (child.type === 'do_group') {
// while body: recurse with scope COPY (body assignments don't leak
// past done). The COPY contains any `read VAR` tracking from the
// condition (already in real varScope at this point).
const bodyScope = new Map(varScope)
for (const c of child.children) {
if (!c) continue
if (c.type === 'do' || c.type === 'done' || c.type === ';') continue
const err = collectCommands(c, commands, bodyScope)
if (err) return err
}
continue
}
if (child.type === 'elif_clause' || child.type === 'else_clause') {
// elif_clause: elif, cond, ;, then, body... / else_clause: else, body...
// Scope COPY — elif/else branch assignments don't leak past fi.
const branchScope = new Map(varScope)
for (const c of child.children) {
if (!c) continue
if (
c.type === 'elif' ||
c.type === 'else' ||
c.type === 'then' ||
c.type === ';'
) {
continue
}
const err = collectCommands(c, commands, branchScope)
if (err) return err
}
continue
}
// Condition (seenThen=false) or then-body (seenThen=true).
// Condition uses REAL varScope (always runs). Then-body uses a COPY.
// Special-case `while read VAR`: after condition `read VAR` is
// collected, track VAR in the REAL scope so the body COPY inherits it.
const targetScope = seenThen ? new Map(varScope) : varScope
const before = commands.length
const err = collectCommands(child, commands, targetScope)
if (err) return err
// If condition included `read VAR...`, track vars in REAL scope.
// read var value is UNKNOWN (stdin input) → use VAR_PLACEHOLDER
// (unknown-value sentinel, string-only).
if (!seenThen) {
for (let i = before; i < commands.length; i++) {
const c = commands[i]
if (c?.argv[0] === 'read') {
for (const a of c.argv.slice(1)) {
// Skip flags (-r, -d, etc.); track bare identifier args as var names.
if (!a.startsWith('-') && /^[A-Za-z_][A-Za-z0-9_]*$/.test(a)) {
// SECURITY: commands[] is a flat accumulator. `true || read
// VAR` in the condition: the list handler correctly uses a
// scope COPY for the ||-RHS (may not run), but `read VAR`
// IS still pushed to commands[] — we can't tell it was
// scope-isolated from here. Same for `echo | read VAR`
// (pipeline, subshell in bash) and `(read VAR)` (subshell).
// Overwriting a tracked literal with VAR_PLACEHOLDER hides
// path traversal: `VAR=../../etc/passwd && if true || read
// VAR; then cat "/tmp/$VAR"; fi` — parser would see
// /tmp/__TRACKED_VAR__, bash reads /etc/passwd. Fail closed
// when a tracked literal would be overwritten. Safe case
// (no prior value or already a placeholder) → proceed.
const existing = varScope.get(a)
if (
existing !== undefined &&
!containsAnyPlaceholder(existing)
) {
return {
kind: 'too-complex',
reason: `'read ${a}' in condition may not execute (||/pipeline/subshell); cannot prove it overwrites tracked literal '${existing}'`,
nodeType: 'if_statement',
}
}
varScope.set(a, VAR_PLACEHOLDER)
}
}
}
}
}
}
return null
}
if (node.type === 'subshell') {
// `(cmd1; cmd2)` — run commands in a subshell. Inner commands ARE
// executed, so extract them for permission checking. Subshell has
// isolated scope: vars set inside don't leak out. Use a COPY of
// varScope (outer vars visible, inner changes discarded).
const innerScope = new Map(varScope)
for (const child of node.children) {
if (!child) continue
if (child.type === '(' || child.type === ')') continue
const err = collectCommands(child, commands, innerScope)
if (err) return err
}
return null
}
if (node.type === 'test_command') {
// `[[ EXPR ]]` or `[ EXPR ]` — conditional test. Evaluates to true/false
// based on file tests (-f, -d), string comparisons (==, !=), etc.
// No code execution (no command_substitution inside — that would be a
// child and we'd recurse into it via walkArgument and reject it).
// Push as a synthetic command with argv[0]='[[' so permission rules
// can match — `Bash([[ :*)` would be unusual but legal.
// Walk arguments to validate (no cmdsub/expansion inside operands).
const argv: string[] = ['[[']
for (const child of node.children) {
if (!child) continue
if (child.type === '[[' || child.type === ']]') continue
if (child.type === '[' || child.type === ']') continue
// Recurse into test expression structure: unary_expression,
// binary_expression, parenthesized_expression, negated_expression.
// The leaves are test_operator (-f, -d, ==) and operand words.
const err = walkTestExpr(child, argv, commands, varScope)
if (err) return err
}
commands.push({ argv, envVars: [], redirects: [], text: node.text })
return null
}
if (node.type === 'unset_command') {
// `unset FOO BAR`, `unset -f func`. Safe: only removes shell
// variables/functions from the current shell — no code execution, no
// filesystem I/O. tree-sitter emits a dedicated node type so it
// previously fell through to tooComplex. Children: `unset` keyword,
// `variable_name` for each name, `word` for flags like `-f`/`-v`.
const argv: string[] = []
for (const child of node.children) {
if (!child) continue
switch (child.type) {
case 'unset':
argv.push(child.text)
break
case 'variable_name':
argv.push(child.text)
// SECURITY: unset removes the var from bash's scope. Remove from
// varScope so subsequent `$VAR` references correctly reject.
// `VAR=safe && unset VAR && rm $VAR` must NOT resolve $VAR.
varScope.delete(child.text)
break
case 'word': {
const arg = walkArgument(child, commands, varScope)
if (typeof arg !== 'string') return arg
argv.push(arg)
break
}
default:
return tooComplex(child)
}
}
commands.push({ argv, envVars: [], redirects: [], text: node.text })
return null
}
return tooComplex(node)
}
/**
* Recursively walk a test_command expression tree (unary/binary/negated/
* parenthesized expressions). Leaves are test_operator tokens and operands
* (word/string/number/etc). Operands are validated via walkArgument.
*/
function walkTestExpr(
node: Node,
argv: string[],
innerCommands: SimpleCommand[],
varScope: Map<string, string>,
): ParseForSecurityResult | null {
switch (node.type) {
case 'unary_expression':
case 'binary_expression':
case 'negated_expression':
case 'parenthesized_expression': {
for (const c of node.children) {
if (!c) continue
const err = walkTestExpr(c, argv, innerCommands, varScope)
if (err) return err
}
return null
}
case 'test_operator':
case '!':
case '(':
case ')':
case '&&':
case '||':
case '==':
case '=':
case '!=':
case '<':
case '>':
case '=~':
argv.push(node.text)
return null
case 'regex':
case 'extglob_pattern':
// RHS of =~ or ==/!= in [[ ]]. Pattern text only — no code execution.
// Parser emits these as leaf nodes with no children (any $(...) or ${...}
// inside the pattern is a sibling, not a child, and is walked separately).
argv.push(node.text)
return null
default: {
// Operand — word, string, number, etc. Validate via walkArgument.
const arg = walkArgument(node, innerCommands, varScope)
if (typeof arg !== 'string') return arg
argv.push(arg)
return null
}
}
}
/**
* A `redirected_statement` wraps a command (or pipeline) plus one or more
* `file_redirect`/`heredoc_redirect` nodes. Extract redirects, walk the
* inner command, attach redirects to the LAST command (the one whose output
* is being redirected).
*/
function walkRedirectedStatement(
node: Node,
commands: SimpleCommand[],
varScope: Map<string, string>,
): ParseForSecurityResult | null {
const redirects: Redirect[] = []
let innerCommand: Node | null = null
for (const child of node.children) {
if (!child) continue
if (child.type === 'file_redirect') {
// Thread `commands` so $() in redirect targets (e.g., `> $(mktemp)`)
// extracts the inner command for permission checking.
const r = walkFileRedirect(child, commands, varScope)
if ('kind' in r) return r
redirects.push(r)
} else if (child.type === 'heredoc_redirect') {
const r = walkHeredocRedirect(child)
if (r) return r
} else if (
child.type === 'command' ||
child.type === 'pipeline' ||
child.type === 'list' ||
child.type === 'negated_command' ||
child.type === 'declaration_command' ||
child.type === 'unset_command'
) {
innerCommand = child
} else {
return tooComplex(child)
}
}
if (!innerCommand) {
// `> file` alone is valid bash (truncates file). Represent as a command
// with empty argv so downstream sees the write.
commands.push({ argv: [], envVars: [], redirects, text: node.text })
return null
}
const before = commands.length
const err = collectCommands(innerCommand, commands, varScope)
if (err) return err
if (commands.length > before && redirects.length > 0) {
const last = commands[commands.length - 1]
if (last) last.redirects.push(...redirects)
}
return null
}
/**
* Extract operator + target from a `file_redirect` node. The target must be
* a static word or string.
*/
function walkFileRedirect(
node: Node,
innerCommands: SimpleCommand[],
varScope: Map<string, string>,
): Redirect | ParseForSecurityResult {
let op: Redirect['op'] | null = null
let target: string | null = null
let fd: number | undefined
for (const child of node.children) {
if (!child) continue
if (child.type === 'file_descriptor') {
fd = Number(child.text)
} else if (child.type in REDIRECT_OPS) {
op = REDIRECT_OPS[child.type] ?? null
} else if (child.type === 'word' || child.type === 'number') {
// SECURITY: `number` nodes can contain expansion children via the
// `NN#<expansion>` arithmetic-base grammar quirk — same issue as
// walkArgument's number case. `> 10#$(cmd)` runs cmd at runtime.
// Plain word/number nodes have zero children.
if (child.children.length > 0) return tooComplex(child)
// Symmetry with walkArgument (~608): `echo foo > {a,b}` is an
// ambiguous redirect in bash. tree-sitter actually emits a
// `concatenation` node for brace targets (caught by the default
// branch below), but check `word` text too for defense-in-depth.
if (BRACE_EXPANSION_RE.test(child.text)) return tooComplex(child)
// Unescape backslash sequences — same as walkArgument. Bash quote
// removal turns `\X` → `X`. Without this, `cat < /proc/self/\environ`
// stores target `/proc/self/\environ` which evades PROC_ENVIRON_RE,
// but bash reads /proc/self/environ.
target = child.text.replace(/\\(.)/g, '$1')
} else if (child.type === 'raw_string') {
target = stripRawString(child.text)
} else if (child.type === 'string') {
const s = walkString(child, innerCommands, varScope)
if (typeof s !== 'string') return s
target = s
} else if (child.type === 'concatenation') {
// `echo > "foo"bar` — tree-sitter produces a concatenation of string +
// word children. walkArgument already validates concatenation (rejects
// expansions, checks brace syntax) and returns the joined text.
const s = walkArgument(child, innerCommands, varScope)
if (typeof s !== 'string') return s
target = s
} else {
return tooComplex(child)
}
}
if (!op || target === null) {
return {
kind: 'too-complex',
reason: 'Unrecognized redirect shape',
nodeType: node.type,
}
}
return { op, target, fd }
}
/**
* Heredoc redirect. Only quoted-delimiter heredocs (<<'EOF') are safe —
* their bodies are literal text. Unquoted-delimiter heredocs (<<EOF)
* undergo full parameter/command/arithmetic expansion in the body.
*
* SECURITY: tree-sitter-bash has a grammar gap — backticks (`...`) inside
* an unquoted heredoc body are NOT parsed as command_substitution nodes
* (body.children is empty, backticks are in body.text). But bash DOES
* execute them. We cannot safely relax the quoted-delimiter requirement
* by checking body children for expansion nodes — we'd miss backtick
* substitution. Keep rejecting all unquoted heredocs. Users should use
* <<'EOF' to get a literal body, which the model already prefers.
*/
function walkHeredocRedirect(node: Node): ParseForSecurityResult | null {
let startText: string | null = null
let body: Node | null = null
for (const child of node.children) {
if (!child) continue
if (child.type === 'heredoc_start') startText = child.text
else if (child.type === 'heredoc_body') body = child
else if (
child.type === '<<' ||
child.type === '<<-' ||
child.type === 'heredoc_end' ||
child.type === 'file_descriptor'
) {
// expected structural tokens — safe to skip. file_descriptor
// covers fd-prefixed heredocs (`cat 3<<'EOF'`) — walkFileRedirect
// already treats it as a benign structural token.
} else {
// SECURITY: tree-sitter places pipeline / command / file_redirect /
// && / etc. as children of heredoc_redirect when they follow the
// delimiter on the same line (e.g. `ls <<'EOF' | rm x`). Previously
// these were silently skipped, hiding the piped command from
// permission checks. Fail closed like every other walker.
return tooComplex(child)
}
}
const isQuoted =
startText !== null &&
((startText.startsWith("'") && startText.endsWith("'")) ||
(startText.startsWith('"') && startText.endsWith('"')) ||
startText.startsWith('\\'))
if (!isQuoted) {
return {
kind: 'too-complex',
reason: 'Heredoc with unquoted delimiter undergoes shell expansion',
nodeType: 'heredoc_redirect',
}
}
if (body) {
for (const child of body.children) {
if (!child) continue
if (child.type !== 'heredoc_content') {
return tooComplex(child)
}
}
}
return null
}
/**
* Here-string redirect (`<<< content`). The content becomes stdin — not
* argv, not a path. Safe when content is a literal word, raw_string, or
* string with no expansions. Reject when content contains $()/${}/$VAR —
* those execute arbitrary code or inject runtime values.
*
* Reuses walkArgument for content validation: it already rejects
* command_substitution, expansion, and (for strings) simple_expansion
* unless the var is tracked/safe. The result string is discarded — we only
* care that it's statically resolvable.
*
* NOTE: `VAR=$(cmd) && cat <<< "$VAR"` would be safe in principle (inner
* cmd is extracted separately, herestring content is stdin) but is
* currently rejected conservatively — walkString's solo-placeholder guard
* fires because it has no awareness of herestring vs argv context.
*/
function walkHerestringRedirect(
node: Node,
innerCommands: SimpleCommand[],
varScope: Map<string, string>,
): ParseForSecurityResult | null {
for (const child of node.children) {
if (!child) continue
if (child.type === '<<<') continue
// Content node: reuse walkArgument. It returns a string on success
// (which we discard — content is stdin, irrelevant to permissions) or
// a too-complex result on failure (expansion found, unresolvable var).
const content = walkArgument(child, innerCommands, varScope)
if (typeof content !== 'string') return content
// Herestring content is discarded (not in argv/envVars/redirects) but
// remains in .text via raw node.text. Scan it here so checkSemantics's
// NEWLINE_HASH invariant (bashPermissions.ts relies on it) still holds.
if (NEWLINE_HASH_RE.test(content)) return tooComplex(child)
}
return null
}
/**
* Walk a `command` node and extract argv. Children appear in order:
* [variable_assignment...] command_name [argument...] [file_redirect...]
* Any child type not explicitly handled triggers too-complex.
*/
function walkCommand(
node: Node,
extraRedirects: Redirect[],
innerCommands: SimpleCommand[],
varScope: Map<string, string>,
): ParseForSecurityResult {
const argv: string[] = []
const envVars: { name: string; value: string }[] = []
const redirects: Redirect[] = [...extraRedirects]
for (const child of node.children) {
if (!child) continue
switch (child.type) {
case 'variable_assignment': {
const ev = walkVariableAssignment(child, innerCommands, varScope)
if ('kind' in ev) return ev
// SECURITY: Env-prefix assignments (`VAR=x cmd`) are command-local in
// bash — VAR is only visible to `cmd` as an env var, NOT to
// subsequent commands. Do NOT add to global varScope — that would
// let `VAR=safe cmd1 && rm $VAR` resolve $VAR when bash has unset it.
envVars.push({ name: ev.name, value: ev.value })
break
}
case 'command_name': {
const arg = walkArgument(
child.children[0] ?? child,
innerCommands,
varScope,
)
if (typeof arg !== 'string') return arg
argv.push(arg)
break
}
case 'word':
case 'number':
case 'raw_string':
case 'string':
case 'concatenation':
case 'arithmetic_expansion': {
const arg = walkArgument(child, innerCommands, varScope)
if (typeof arg !== 'string') return arg
argv.push(arg)
break
}
// NOTE: command_substitution as a BARE argument (not inside a string)
// is intentionally NOT handled here — the $() output IS the argument,
// and for path-sensitive commands (cd, rm, chmod) the placeholder would
// hide the real path from downstream checks. `cd $(echo /etc)` must
// stay too-complex so the path-check can't be bypassed. $() inside
// strings ("Timer: $(date)") is handled in walkString where the output
// is embedded in a longer string (safer).
case 'simple_expansion': {
// Bare `$VAR` as an argument. Tracked static vars return the ACTUAL
// value (e.g. VAR=/etc → '/etc'). Values with IFS/glob chars or
// placeholders reject. See resolveSimpleExpansion.
const v = resolveSimpleExpansion(child, varScope, false)
if (typeof v !== 'string') return v
argv.push(v)
break
}
case 'file_redirect': {
const r = walkFileRedirect(child, innerCommands, varScope)
if ('kind' in r) return r
redirects.push(r)
break
}
case 'herestring_redirect': {
// `cmd <<< "content"` — content is stdin, not argv. Validate it's
// literal (no expansion); discard the content string.
const err = walkHerestringRedirect(child, innerCommands, varScope)
if (err) return err
break
}
default:
return tooComplex(child)
}
}
// .text is the raw source span. Downstream (bashToolCheckPermission →
// splitCommand_DEPRECATED) re-tokenizes it via shell-quote. Normally .text
// is used unchanged — but if we resolved a $VAR into argv, .text diverges
// (has raw `$VAR`) and downstream RULE MATCHING would miss deny rules.
//
// SECURITY: `SUB=push && git $SUB --force` with `Bash(git push:*)` deny:
// argv = ['git', 'push', '--force'] ← correct, path validation sees 'push'
// .text = 'git $SUB --force' ← deny rule 'git push:*' doesn't match
//
// Detection: any `$<identifier>` in node.text means a simple_expansion was
// resolved (or we'd have returned too-complex). This catches $VAR at any
// position — command_name, word, string interior, concatenation part.
// `$(...)` doesn't match (paren, not identifier start). `'$VAR'` in single
// quotes: tree-sitter's .text includes the quotes, so a naive check would
// FP on `echo '$VAR'`. But single-quoted $ is LITERAL in bash — argv has
// the literal `$VAR` string, so rebuilding from argv produces `'$VAR'`
// anyway (shell-escape wraps it). Same net .text. No rule-matching error.
//
// Rebuild .text from argv. Shell-escape each arg: single-quote wrap with
// `'\''` for embedded single quotes. Empty string, metacharacters, and
// placeholders all get quoted. Downstream shell-quote re-parse is correct.
//
// NOTE: This does NOT include redirects/envVars in the rebuilt .text —
// walkFileRedirect rejects simple_expansion, and envVars aren't used for
// rule matching. If either changes, this rebuild must include them.
//
// SECURITY: also rebuild when node.text contains a newline. Line
// continuations `<space>\<LF>` are invisible to argv (tree-sitter collapses
// them) but preserved in node.text. `timeout 5 \<LF>curl evil.com` → argv
// is correct, but raw .text → stripSafeWrappers matches `timeout 5 ` (the
// space before \), leaving `\<LF>curl evil.com` — Bash(curl:*) deny doesn't
// prefix-match. Rebuilt .text joins argv with ' ' → no newlines →
// stripSafeWrappers works. Also covers heredoc-body leakage.
const text =
/\$[A-Za-z_]/.test(node.text) || node.text.includes('\n')
? argv
.map(a =>
a === '' || /["'\\ \t\n$`;|&<>(){}*?[\]~#]/.test(a)
? `'${a.replace(/'/g, "'\\''")}'`
: a,
)
.join(' ')
: node.text
return {
kind: 'simple',
commands: [{ argv, envVars, redirects, text }],
}
}
/**
* Recurse into a command_substitution node's inner command(s). If the inner
* command(s) parse cleanly (simple), add them to the innerCommands
* accumulator and return null (success). If the inner command is itself
* too-complex (e.g., nested arith expansion, process sub), return the error.
* This enables recursive permission checking: `echo $(git rev-parse HEAD)`
* extracts BOTH `echo $(git rev-parse HEAD)` (outer) AND `git rev-parse HEAD`
* (inner) — permission rules must match BOTH for the whole command to allow.
*/
function collectCommandSubstitution(
csNode: Node,
innerCommands: SimpleCommand[],
varScope: Map<string, string>,
): ParseForSecurityResult | null {
// Vars set BEFORE the $() are visible inside (bash subshell semantics),
// but vars set INSIDE don't leak out. Pass a COPY of the outer scope so
// inner assignments don't mutate the outer map.
const innerScope = new Map(varScope)
// command_substitution children: `$(` or `` ` ``, inner statement(s), `)`
for (const child of csNode.children) {
if (!child) continue
if (child.type === '$(' || child.type === '`' || child.type === ')') {
continue
}
const err = collectCommands(child, innerCommands, innerScope)
if (err) return err
}
return null
}
/**
* Convert an argument node to its literal string value. Quotes are resolved.
* This function implements the argument-position allowlist.
*/
function walkArgument(
node: Node | null,
innerCommands: SimpleCommand[],
varScope: Map<string, string>,
): string | ParseForSecurityResult {
if (!node) {
return { kind: 'too-complex', reason: 'Null argument node' }
}
switch (node.type) {
case 'word': {
// Unescape backslash sequences. In unquoted context, bash's quote
// removal turns `\X` → `X` for any character X. tree-sitter preserves
// the raw text. Required for checkSemantics: `\eval` must match
// EVAL_LIKE_BUILTINS, `\zmodload` must match ZSH_DANGEROUS_BUILTINS.
// Also makes argv accurate: `find -exec {} \;` → argv has `;` not
// `\;`. (Deny-rule matching on .text already worked via downstream
// splitCommand_DEPRECATED unescaping — see walkCommand comment.) `\<whitespace>`
// is already rejected by BACKSLASH_WHITESPACE_RE.
if (BRACE_EXPANSION_RE.test(node.text)) {
return {
kind: 'too-complex',
reason: 'Word contains brace expansion syntax',
nodeType: 'word',
}
}
return node.text.replace(/\\(.)/g, '$1')
}
case 'number':
// SECURITY: tree-sitter-bash parses `NN#<expansion>` (arithmetic base
// syntax) as a `number` node with the expansion as a CHILD. `10#$(cmd)`
// is a number node whose .text is the full literal but whose child is a
// command_substitution — bash runs the substitution. .text on a node
// with children would smuggle the expansion past permission checks.
// Plain numbers (`10`, `16#ff`) have zero children.
if (node.children.length > 0) {
return {
kind: 'too-complex',
reason: 'Number node contains expansion (NN# arithmetic base syntax)',
nodeType: node.children[0]?.type,
}
}
return node.text
case 'raw_string':
return stripRawString(node.text)
case 'string':
return walkString(node, innerCommands, varScope)
case 'concatenation': {
if (BRACE_EXPANSION_RE.test(node.text)) {
return {
kind: 'too-complex',
reason: 'Brace expansion',
nodeType: 'concatenation',
}
}
let result = ''
for (const child of node.children) {
if (!child) continue
const part = walkArgument(child, innerCommands, varScope)
if (typeof part !== 'string') return part
result += part
}
return result
}
case 'arithmetic_expansion': {
const err = walkArithmetic(node)
if (err) return err
return node.text
}
case 'simple_expansion': {
// `$VAR` inside a concatenation (e.g., `prefix$VAR`). Same rules
// as the bare case in walkCommand: must be tracked or SAFE_ENV_VARS.
// inside-concatenation counts as bare arg (the whole concat IS the arg)
return resolveSimpleExpansion(node, varScope, false)
}
// NOTE: command_substitution at arg position (bare or inside concatenation)
// is intentionally NOT handled — the output is/becomes-part-of a positional
// argument which might be a path or flag. `rm $(foo)` or `rm $(foo)bar`
// would hide the real path behind the placeholder. Only $() inside a
// `string` node (walkString) is extracted, since the output is embedded
// in a longer string rather than BEING the argument.
default:
return tooComplex(node)
}
}
/**
* Extract literal content from a double-quoted string node. A `string` node's
* children are `"` delimiters, `string_content` literals, and possibly
* expansion nodes.
*
* tree-sitter quirk: literal newlines inside double quotes are NOT included
* in `string_content` node text. bash preserves them. For `"a\nb"`,
* tree-sitter produces two `string_content` children (`"a"`, `"b"`) with the
* newline in neither. For `"\n#"`, it produces ONE child (`"#"`) with the
* leading newline eaten. Concatenating children therefore loses newlines.
*
* Fix: track child `startIndex` and insert one `\n` per index gap. The gap
* between children IS the dropped newline(s). This makes the argv value
* match what bash actually sees.
*/
function walkString(
node: Node,
innerCommands: SimpleCommand[],
varScope: Map<string, string>,
): string | ParseForSecurityResult {
let result = ''
let cursor = -1
// SECURITY: Track whether the string contains a runtime-unknown
// placeholder ($() output or unknown-value tracked var) vs any literal
// content. A string that is ONLY a placeholder (`"$(cmd)"`, `"$VAR"`
// where VAR holds an unknown sentinel) produces an argv element that IS
// the placeholder — which downstream path validation resolves as a
// relative filename within cwd, bypassing the check. `cd "$(echo /etc)"`
// would pass validation but runtime-cd into /etc. We reject
// solo-placeholder strings; placeholders mixed with literal content
// (`"prefix: $(cmd)"`) are safe — runtime value can't equal a bare path.
let sawDynamicPlaceholder = false
let sawLiteralContent = false
for (const child of node.children) {
if (!child) continue
// Index gap between this child and the previous one = dropped newline(s).
// Ignore the gap before the first non-delimiter child (cursor === -1).
// Skip gap-fill for `"` delimiters: a gap before the closing `"` is the
// tree-sitter whitespace-only-string quirk (space/tab, not newline) — let
// the Fix C check below catch it as too-complex instead of mis-filling
// with `\n` and diverging from bash.
if (cursor !== -1 && child.startIndex > cursor && child.type !== '"') {
result += '\n'.repeat(child.startIndex - cursor)
sawLiteralContent = true
}
cursor = child.endIndex
switch (child.type) {
case '"':
// Reset cursor after opening quote so the gap between `"` and the
// first content child is captured.
cursor = child.endIndex
break
case 'string_content':
// Bash double-quote escape rules (NOT the generic /\\(.)/g used for
// unquoted words in walkArgument): inside "...", a backslash only
// escapes $ ` " \ — other sequences like \n stay literal. So
// `"fix \"bug\""` → `fix "bug"`, but `"a\nb"` → `a\nb` (backslash
// kept). tree-sitter preserves the raw escapes in .text; we resolve
// them here so argv matches what bash actually passes.
result += child.text.replace(/\\([$`"\\])/g, '$1')
sawLiteralContent = true
break
case DOLLAR:
// A bare dollar sign before closing quote or a non-name char is
// literal in bash. tree-sitter emits it as a standalone node.
result += DOLLAR
sawLiteralContent = true
break
case 'command_substitution': {
// Carve-out: `$(cat <<'EOF' ... EOF)` is safe. The quoted-delimiter
// heredoc body is literal (no expansion), and `cat` just prints it.
// The substitution result is therefore a known static string. This
// pattern is the idiomatic way to pass multi-line content to tools
// like `gh pr create --body`. We replace the substitution with a
// placeholder argv value — the actual content doesn't matter for
// permission checking, only that it IS static.
const heredocBody = extractSafeCatHeredoc(child)
if (heredocBody === 'DANGEROUS') return tooComplex(child)
if (heredocBody !== null) {
// SECURITY: the body IS the substitution result. Previously we
// dropped it → `rm "$(cat <<'EOF'\n/etc/passwd\nEOF)"` produced
// argv ['rm',''] while bash runs `rm /etc/passwd`. validatePath('')
// resolves to cwd → allowed. Every path-constrained command
// bypassed via this. Now: append the body (trailing LF trimmed —
// bash $() strips trailing newlines).
//
// Tradeoff: bodies with internal newlines are multi-line text
// (markdown, scripts) which cannot be valid paths — safe to drop
// to avoid NEWLINE_HASH_RE false positives on `## Summary`. A
// single-line body (like `/etc/passwd`) MUST go into argv so
// downstream path validation sees the real target.
const trimmed = heredocBody.replace(/\n+$/, '')
if (trimmed.includes('\n')) {
sawLiteralContent = true
break
}
result += trimmed
sawLiteralContent = true
break
}
// General $() inside "...": recurse into inner command(s). If they
// parse cleanly, they become additional subcommands that the
// permission system must match rules against. The outer argv gets
// the original $() text as placeholder (runtime-determined value).
// `echo "SHA: $(git rev-parse HEAD)"` → extracts BOTH
// `echo "SHA: $(...)"` AND `git rev-parse HEAD` — both must match
// permission rules. ~27% of too-complex in top-5k ant cmds.
const err = collectCommandSubstitution(child, innerCommands, varScope)
if (err) return err
result += CMDSUB_PLACEHOLDER
sawDynamicPlaceholder = true
break
}
case 'simple_expansion': {
// `$VAR` inside "...". Tracked/safe vars resolve; untracked reject.
const v = resolveSimpleExpansion(child, varScope, true)
if (typeof v !== 'string') return v
// VAR_PLACEHOLDER = runtime-unknown (loop var, read var, $() output,
// SAFE_ENV_VARS, special vars). Any other string = actual literal
// value from a tracked static var (e.g. VAR=/tmp → v='/tmp').
if (v === VAR_PLACEHOLDER) sawDynamicPlaceholder = true
else sawLiteralContent = true
result += v
break
}
case 'arithmetic_expansion': {
const err = walkArithmetic(child)
if (err) return err
result += child.text
// Validated to be literal-numeric — static content.
sawLiteralContent = true
break
}
default:
// expansion (${...}) inside "..."
return tooComplex(child)
}
}
// SECURITY: Reject solo-placeholder strings. `"$(cmd)"` or `"$VAR"` (where
// VAR holds an unknown value) would produce an argv element that IS the
// placeholder — which bypasses downstream path validation (validatePath
// resolves placeholders as relative filenames within cwd). Only allow
// placeholders embedded alongside literal content (`"prefix: $(cmd)"`).
if (sawDynamicPlaceholder && !sawLiteralContent) {
return tooComplex(node)
}
// SECURITY: tree-sitter-bash quirk — a double-quoted string containing
// ONLY whitespace (` "`, `" "`, `"\t"`) produces NO string_content child;
// the whitespace is attributed to the closing `"` node's text. Our loop
// only adds to `result` from string_content/expansion children, so we'd
// return "" when bash sees " ". Detect: we saw no content children
// (both flags false — neither literal nor placeholder added) but the
// source span is longer than bare `""`. Genuine `""` has text.length==2.
// `"$V"` with V="" doesn't hit this — the simple_expansion child sets
// sawLiteralContent via the `else` branch even when v is empty.
if (!sawLiteralContent && !sawDynamicPlaceholder && node.text.length > 2) {
return tooComplex(node)
}
return result
}
/**
* Safe leaf nodes inside arithmetic expansion: integer literals (decimal,
* hex, octal, bash base#digits) and operator/paren tokens. Anything else at
* leaf position (notably variable_name that isn't a numeric literal) rejects.
*/
const ARITH_LEAF_RE =
/^(?:[0-9]+|0[xX][0-9a-fA-F]+|[0-9]+#[0-9a-zA-Z]+|[-+*/%^&|~!<>=?:(),]+|<<|>>|\*\*|&&|\|\||[<>=!]=|\$\(\(|\)\))$/
/**
* Recursively validate an arithmetic_expansion node. Allows only literal
* numeric expressions — no variables, no substitutions. Returns null if
* safe, or a too-complex result if not.
*
* Variables are rejected because bash arithmetic recursively evaluates
* variable values: if x='a[$(cmd)]' then $((x)) executes cmd. See
* https://www.vidarholen.net/contents/blog/?p=716 (arithmetic injection).
*
* When safe, the caller puts the full `$((…))` span into argv as a literal
* string. bash will expand it to an integer at runtime; the static string
* won't match any sensitive path/deny patterns.
*/
function walkArithmetic(node: Node): ParseForSecurityResult | null {
for (const child of node.children) {
if (!child) continue
if (child.children.length === 0) {
if (!ARITH_LEAF_RE.test(child.text)) {
return {
kind: 'too-complex',
reason: `Arithmetic expansion references variable or non-literal: ${child.text}`,
nodeType: 'arithmetic_expansion',
}
}
continue
}
switch (child.type) {
case 'binary_expression':
case 'unary_expression':
case 'ternary_expression':
case 'parenthesized_expression': {
const err = walkArithmetic(child)
if (err) return err
break
}
default:
return tooComplex(child)
}
}
return null
}
/**
* Check if a command_substitution node is exactly `$(cat <<'DELIM'...DELIM)`
* and return the heredoc body if so. Any deviation (extra args to cat,
* unquoted delimiter, additional commands) returns null.
*
* tree-sitter structure:
* command_substitution
* $(
* redirected_statement
* command → command_name → word "cat" (exactly one child)
* heredoc_redirect
* <<
* heredoc_start 'DELIM' (quoted)
* heredoc_body (pure heredoc_content)
* heredoc_end
* )
*/
function extractSafeCatHeredoc(subNode: Node): string | 'DANGEROUS' | null {
// Expect exactly: $( + one redirected_statement + )
let stmt: Node | null = null
for (const child of subNode.children) {
if (!child) continue
if (child.type === '$(' || child.type === ')') continue
if (child.type === 'redirected_statement' && stmt === null) {
stmt = child
} else {
return null
}
}
if (!stmt) return null
// redirected_statement must be: command(cat) + heredoc_redirect (quoted)
let sawCat = false
let body: string | null = null
for (const child of stmt.children) {
if (!child) continue
if (child.type === 'command') {
// Must be bare `cat` — no args, no env vars
const cmdChildren = child.children.filter(c => c)
if (cmdChildren.length !== 1) return null
const nameNode = cmdChildren[0]
if (nameNode?.type !== 'command_name' || nameNode.text !== 'cat') {
return null
}
sawCat = true
} else if (child.type === 'heredoc_redirect') {
// Reuse the existing validator: quoted delimiter, body is pure text.
// walkHeredocRedirect returns null on success, non-null on rejection.
if (walkHeredocRedirect(child) !== null) return null
for (const hc of child.children) {
if (hc?.type === 'heredoc_body') body = hc.text
}
} else {
return null
}
}
if (!sawCat || body === null) return null
// SECURITY: the heredoc body becomes the outer command's argv value via
// substitution, so a body like `/proc/self/environ` is semantically
// `cat /proc/self/environ`. checkSemantics never sees the body (we drop it
// at the walkString call site to avoid newline+# FPs). Returning `null`
// here would fall through to collectCommandSubstitution in walkString,
// which would extract the inner `cat` via walkHeredocRedirect (body text
// not inspected there) — effectively bypassing this check. Return a
// distinct sentinel so the caller can reject instead of falling through.
if (PROC_ENVIRON_RE.test(body)) return 'DANGEROUS'
// Same for jq system(): checkSemantics checks argv but never sees the
// heredoc body. Check unconditionally (we don't know the outer command).
if (/\bsystem\s*\(/.test(body)) return 'DANGEROUS'
return body
}
function walkVariableAssignment(
node: Node,
innerCommands: SimpleCommand[],
varScope: Map<string, string>,
): { name: string; value: string; isAppend: boolean } | ParseForSecurityResult {
let name: string | null = null
let value = ''
let isAppend = false
for (const child of node.children) {
if (!child) continue
if (child.type === 'variable_name') {
name = child.text
} else if (child.type === '=' || child.type === '+=') {
// `PATH+=":/new"` — tree-sitter emits `+=` as a distinct operator
// node. Without this case it falls through to walkArgument below
// → tooComplex on unknown type `+=`.
isAppend = child.type === '+='
continue
} else if (child.type === 'command_substitution') {
// $() as the variable's value. The output becomes a STRING stored in
// the variable — it's NOT a positional argument (no path/flag concern).
// `VAR=$(date)` runs `date`, stores output. `VAR=$(rm -rf /)` runs
// `rm` — the inner command IS checked against permission rules, so
// `rm` must match a rule. The variable just holds whatever `rm` prints.
const err = collectCommandSubstitution(child, innerCommands, varScope)
if (err) return err
value = CMDSUB_PLACEHOLDER
} else if (child.type === 'simple_expansion') {
// `VAR=$OTHER` — assignment RHS does NOT word-split or glob-expand
// in bash (unlike command arguments). So `A="a b"; B=$A` sets B to
// the literal "a b". Resolve as if inside a string (insideString=true)
// so BARE_VAR_UNSAFE_RE doesn't over-reject. The resulting value may
// contain spaces/globs — if B is later used as a bare arg, THAT use
// will correctly reject via BARE_VAR_UNSAFE_RE.
const v = resolveSimpleExpansion(child, varScope, true)
if (typeof v !== 'string') return v
// If v is VAR_PLACEHOLDER (OTHER holds unknown), store it — combined
// with containsAnyPlaceholder in the caller to treat as unknown.
value = v
} else {
const v = walkArgument(child, innerCommands, varScope)
if (typeof v !== 'string') return v
value = v
}
}
if (name === null) {
return {
kind: 'too-complex',
reason: 'Variable assignment without name',
nodeType: 'variable_assignment',
}
}
// SECURITY: tree-sitter-bash accepts invalid var names (e.g. `1VAR=value`)
// as variable_assignment. Bash only recognizes [A-Za-z_][A-Za-z0-9_]* —
// anything else is run as a COMMAND. `1VAR=value` → bash tries to execute
// `1VAR=value` from PATH. We must not treat it as an inert assignment.
if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(name)) {
return {
kind: 'too-complex',
reason: `Invalid variable name (bash treats as command): ${name}`,
nodeType: 'variable_assignment',
}
}
// SECURITY: Setting IFS changes word-splitting behavior for subsequent
// unquoted $VAR expansions. `IFS=: && VAR=a:b && rm $VAR` → bash splits
// on `:` → `rm a b`. Our BARE_VAR_UNSAFE_RE only checks default IFS
// chars (space/tab/NL) — we can't model custom IFS. Reject.
if (name === 'IFS') {
return {
kind: 'too-complex',
reason: 'IFS assignment changes word-splitting — cannot model statically',
nodeType: 'variable_assignment',
}
}
// SECURITY: PS4 is expanded via promptvars (default on) on every command
// traced after `set -x`. A raw_string value containing $(cmd) or `cmd`
// executes at trace time: `PS4='$(id)' && set -x && :` runs id, but our
// argv is only [["set","-x"],[":"]] — the payload is invisible to
// permission checks. PS0-3 and PROMPT_COMMAND are not expanded in
// non-interactive shells (BashTool).
//
// ALLOWLIST, not blocklist. 5 rounds of bypass patches taught us that a
// value-dependent blocklist is structurally fragile:
// - `+=` effective-value computation diverges from bash in multiple
// scope-model gaps: `||` reset, env-prefix chain (PS4='' && PS4='$'
// PS4+='(id)' cmd reads stale parent value), subshell.
// - bash's decode_prompt_string runs BEFORE promptvars, so `\044(id)`
// (octal for `$`) becomes `$(id)` at trace time — any literal-char
// check must model prompt-escape decoding exactly.
// - assignment paths exist outside walkVariableAssignment (for_statement
// sets loopVar directly, see that handler's PS4 check).
//
// Policy: (1) reject += outright — no scope-tracking dependency; user can
// combine into one PS4=... (2) reject placeholders — runtime unknowable.
// (3) allowlist remaining value: ${identifier} refs (value-read only, safe)
// plus [A-Za-z0-9 _+:.\/=[\]-]. No bare `$` (blocks split primitive), no
// `\` (blocks octal \044/\140), no backtick, no parens. Covers all known
// encoding vectors and future ones — anything off the allowlist fails.
// Legit `PS4='+${BASH_SOURCE}:${LINENO}: '` still passes.
if (name === 'PS4') {
if (isAppend) {
return {
kind: 'too-complex',
reason:
'PS4 += cannot be statically verified — combine into a single PS4= assignment',
nodeType: 'variable_assignment',
}
}
if (containsAnyPlaceholder(value)) {
return {
kind: 'too-complex',
reason: 'PS4 value derived from cmdsub/variable — runtime unknowable',
nodeType: 'variable_assignment',
}
}
if (
!/^[A-Za-z0-9 _+:./=[\]-]*$/.test(
value.replace(/\$\{[A-Za-z_][A-Za-z0-9_]*\}/g, ''),
)
) {
return {
kind: 'too-complex',
reason:
'PS4 value outside safe charset — only ${VAR} refs and [A-Za-z0-9 _+:.=/[]-] allowed',
nodeType: 'variable_assignment',
}
}
}
// SECURITY: Tilde expansion in assignment RHS. `VAR=~/x` (unquoted) →
// bash expands `~` at ASSIGNMENT time → VAR='/home/user/x'. We see the
// literal `~/x`. Later `cd $VAR` → our argv `['cd','~/x']`, bash runs
// `cd /home/user/x`. Tilde expansion also happens after `=` and `:` in
// assignment values (e.g. PATH=~/bin:~/sbin). We can't model it — reject
// any value containing `~` that isn't already quoted-literal (where bash
// doesn't expand). Conservative: any `~` in value → reject.
if (value.includes('~')) {
return {
kind: 'too-complex',
reason: 'Tilde in assignment value — bash may expand at assignment time',
nodeType: 'variable_assignment',
}
}
return { name, value, isAppend }
}
/**
* Resolve a `simple_expansion` ($VAR) node. Returns VAR_PLACEHOLDER if
* resolvable, too-complex otherwise.
*
* @param insideString true when $VAR is inside a `string` node ("...$VAR...")
* rather than a bare/concatenation argument. SAFE_ENV_VARS and unknown-value
* tracked vars are only allowed inside strings — as bare args their runtime
* value IS the argument and we don't know it statically.
* `cd $HOME/../x` would hide the real path behind the placeholder;
* `echo "Home: $HOME"` just embeds text in a string. Tracked vars holding
* STATIC strings (VAR=literal) are allowed in both positions since their
* value IS known.
*/
function resolveSimpleExpansion(
node: Node,
varScope: Map<string, string>,
insideString: boolean,
): string | ParseForSecurityResult {
let varName: string | null = null
let isSpecial = false
for (const c of node.children) {
if (c?.type === 'variable_name') {
varName = c.text
break
}
if (c?.type === 'special_variable_name') {
varName = c.text
isSpecial = true
break
}
}
if (varName === null) return tooComplex(node)
// Tracked vars: check stored value. Literal strings (VAR=/tmp) are
// returned DIRECTLY so downstream path validation sees the real path.
// Non-literal values (containing any placeholder — loop vars, $() output,
// read vars, composites like `VAR="prefix$(cmd)"`) are ONLY safe inside
// strings; as bare args they'd hide the runtime path/flag from validation.
//
// SECURITY: Returning the actual trackedValue (not a placeholder) is the
// critical fix. `VAR=/etc && rm $VAR` → argv ['rm', '/etc'] → validatePath
// correctly rejects. Previously returned a placeholder → validatePath saw
// '__LOOP_STATIC__', resolved as cwd-relative → PASSED → bypass.
const trackedValue = varScope.get(varName)
if (trackedValue !== undefined) {
if (containsAnyPlaceholder(trackedValue)) {
// Non-literal: bare → reject, inside string → VAR_PLACEHOLDER
// (walkString's solo-placeholder gate rejects `"$VAR"` alone).
if (!insideString) return tooComplex(node)
return VAR_PLACEHOLDER
}
// Pure literal (e.g. '/tmp', 'foo') — return it directly. Downstream
// path validation / checkSemantics operate on the REAL value.
//
// SECURITY: For BARE args (not inside a string), bash word-splits on
// $IFS and glob-expands the result. `VAR="-rf /" && rm $VAR` → bash
// runs `rm -rf /` (two args); `VAR="/etc/*" && cat $VAR` → expands to
// all files. Reject values containing IFS/glob chars unless in "...".
//
// SECURITY: Empty value as bare arg. Bash word-splitting on "" produces
// ZERO fields — the expansion disappears. `V="" && $V eval x` → bash
// runs `eval x` (our argv would be ["","eval","x"] with name="" —
// every EVAL_LIKE/ZSH/keyword check misses). `V="" && ls $V /etc` →
// bash runs `ls /etc`, our argv has a phantom "" shifting positions.
// Inside "...": `"$V"` → bash produces one empty-string arg → our ""
// is correct, keep allowing.
if (!insideString) {
if (trackedValue === '') return tooComplex(node)
if (BARE_VAR_UNSAFE_RE.test(trackedValue)) return tooComplex(node)
}
return trackedValue
}
// SAFE_ENV_VARS + special vars ($?, $$, $@, $1, etc.): value unknown
// (shell-controlled). Only safe when embedded in a string, NOT as a
// bare argument to a path-sensitive command.
if (insideString) {
if (SAFE_ENV_VARS.has(varName)) return VAR_PLACEHOLDER
if (
isSpecial &&
(SPECIAL_VAR_NAMES.has(varName) || /^[0-9]+$/.test(varName))
) {
return VAR_PLACEHOLDER
}
}
return tooComplex(node)
}
/**
* Apply a variable assignment to the scope, handling `+=` append semantics.
* SECURITY: If EITHER side (existing value or appended value) contains a
* placeholder, the result is non-literal — store VAR_PLACEHOLDER so later
* $VAR correctly rejects as bare arg.
* `VAR=/etc && VAR+=$(cmd)` must not leave VAR looking static.
*/
function applyVarToScope(
varScope: Map<string, string>,
ev: { name: string; value: string; isAppend: boolean },
): void {
const existing = varScope.get(ev.name) ?? ''
const combined = ev.isAppend ? existing + ev.value : ev.value
varScope.set(
ev.name,
containsAnyPlaceholder(combined) ? VAR_PLACEHOLDER : combined,
)
}
function stripRawString(text: string): string {
return text.slice(1, -1)
}
function tooComplex(node: Node): ParseForSecurityResult {
const reason =
node.type === 'ERROR'
? 'Parse error'
: DANGEROUS_TYPES.has(node.type)
? `Contains ${node.type}`
: `Unhandled node type: ${node.type}`
return { kind: 'too-complex', reason, nodeType: node.type }
}
// ────────────────────────────────────────────────────────────────────────────
// Post-argv semantic checks
//
// Everything above answers "can we tokenize?". Everything below answers
// "is the resulting argv dangerous in ways that don't involve parsing?".
// These are checks on argv[0] or argv content that the old bashSecurity.ts
// validators performed but which have nothing to do with parser
// differentials. They're here (not in bashSecurity.ts) because they operate
// on SimpleCommand and need to run for every extracted command.
// ────────────────────────────────────────────────────────────────────────────
/**
* Zsh module builtins. These are not binaries on PATH — they're zsh
* internals loaded via zmodload. Since BashTool runs via the user's default
* shell (often zsh), and these parse as plain `command` nodes with no
* distinguishing syntax, we can only catch them by name.
*/
const ZSH_DANGEROUS_BUILTINS = new Set([
'zmodload',
'emulate',
'sysopen',
'sysread',
'syswrite',
'sysseek',
'zpty',
'ztcp',
'zsocket',
'zf_rm',
'zf_mv',
'zf_ln',
'zf_chmod',
'zf_chown',
'zf_mkdir',
'zf_rmdir',
'zf_chgrp',
])
/**
* Shell builtins that evaluate their arguments as code or otherwise escape
* the argv abstraction. A command like `eval "rm -rf /"` has argv
* ['eval', 'rm -rf /'] which looks inert to flag validation but executes
* the string. Treat these the same as command substitution.
*/
const EVAL_LIKE_BUILTINS = new Set([
'eval',
'source',
'.',
'exec',
'command',
'builtin',
'fc',
// `coproc rm -rf /` spawns rm as a coprocess. tree-sitter parses it as
// a plain command with argv[0]='coproc', so permission rules and path
// validation would check 'coproc' not 'rm'.
'coproc',
// Zsh precommand modifiers: `noglob cmd args` runs cmd with globbing off.
// They parse as ordinary commands (noglob is argv[0], the real command is
// argv[1]) so permission matching against argv[0] would see 'noglob', not
// the wrapped command.
'noglob',
'nocorrect',
// `trap 'cmd' SIGNAL` — cmd runs as shell code on signal/exit. EXIT fires
// at end of every BashTool invocation, so this is guaranteed execution.
'trap',
// `enable -f /path/lib.so name` — dlopen arbitrary .so as a builtin.
// Native code execution.
'enable',
// `mapfile -C callback -c N` / `readarray -C callback` — callback runs as
// shell code every N input lines.
'mapfile',
'readarray',
// `hash -p /path cmd` — poisons bash's command-lookup cache. Subsequent
// `cmd` in the same command resolves to /path instead of PATH lookup.
'hash',
// `bind -x '"key":cmd'` / `complete -C cmd` — interactive-only callbacks
// but still code-string arguments. Low impact in non-interactive BashTool
// shells, blocked for consistency. `compgen -C cmd` is NOT interactive-only:
// it immediately executes the -C argument to generate completions.
'bind',
'complete',
'compgen',
// `alias name='cmd'` — aliases not expanded in non-interactive bash by
// default, but `shopt -s expand_aliases` enables them. Also blocked as
// defense-in-depth (alias followed by name use in same command).
'alias',
// `let EXPR` arithmetically evaluates EXPR — identical to $(( EXPR )).
// Array subscripts in the expression expand $(cmd) at eval time even when
// the argument arrived single-quoted: `let 'x=a[$(id)]'` executes id.
// tree-sitter sees the raw_string as an opaque leaf. Same primitive
// walkArithmetic guards, but `let` is a plain command node.
'let',
])
/**
* Builtins that re-parse a NAME operand internally and arithmetically
* evaluate `arr[EXPR]` subscripts — including $(cmd) in the subscript —
* even when the argv element arrived from a single-quoted raw_string.
* `test -v 'a[$(id)]'` → tree-sitter sees an opaque leaf, bash runs id.
* Maps: builtin name → set of flags whose next argument is a NAME.
*/
const SUBSCRIPT_EVAL_FLAGS: Record<string, Set<string>> = {
test: new Set(['-v', '-R']),
'[': new Set(['-v', '-R']),
'[[': new Set(['-v', '-R']),
printf: new Set(['-v']),
read: new Set(['-a']),
unset: new Set(['-v']),
// bash 5.1+: `wait -p VAR [id...]` stores the waited PID into VAR. When VAR
// is `arr[EXPR]`, bash arithmetically evaluates the subscript — running
// $(cmd) even from a single-quoted raw_string. Verified bash 5.3.9:
// `: & wait -p 'a[$(id)]' %1` executes id.
wait: new Set(['-p']),
}
/**
* `[[ ARG1 OP ARG2 ]]` where OP is an arithmetic comparison. bash manual:
* "When used with [[, Arg1 and Arg2 are evaluated as arithmetic
* expressions." Arithmetic evaluation recursively expands array subscripts,
* so `[[ 'a[$(id)]' -eq 0 ]]` executes `id` even though tree-sitter sees
* the operand as an opaque raw_string leaf. Unlike -v/-R (unary, NAME after
* flag), these are binary — the subscript can appear on EITHER side, so
* SUBSCRIPT_EVAL_FLAGS's "next arg" logic is insufficient.
* `[` / `test` are not vulnerable (bash errors with "integer expression
* expected"), but the test_command handler normalizes argv[0]='[[' for
* both forms, so they get this check too — mild over-blocking, safe side.
*/
const TEST_ARITH_CMP_OPS = new Set(['-eq', '-ne', '-lt', '-le', '-gt', '-ge'])
/**
* Builtins where EVERY non-flag positional argument is a NAME that bash
* re-parses and arithmetically evaluates subscripts on — no flag required.
* `read 'a[$(id)]'` executes id: each positional is a variable name to
* assign into, and `arr[EXPR]` is valid syntax there. `unset NAME...` is
* the same (though tree-sitter's unset_command handler currently rejects
* raw_string children before reaching here — this is defense-in-depth).
* NOT printf (positional args are FORMAT/data), NOT test/[ (operands are
* values, only -v/-R take a NAME). declare/typeset/local handled in
* declaration_command since they never reach here as plain commands.
*/
const BARE_SUBSCRIPT_NAME_BUILTINS = new Set(['read', 'unset'])
/**
* `read` flags whose NEXT argument is data (prompt/delimiter/count/fd),
* not a NAME. `read -p '[foo] ' var` must not trip on the `[` in the
* prompt string. `-a` is intentionally absent — its operand IS a NAME.
*/
const READ_DATA_FLAGS = new Set(['-p', '-d', '-n', '-N', '-t', '-u', '-i'])
// SHELL_KEYWORDS imported from bashParser.ts — shell reserved words can never
// be legitimate argv[0]; if they appear, the parser mis-parsed a compound
// command. Reject to avoid nonsense argv reaching downstream.
// Use `.*` not `[^/]*` — Linux resolves `..` in procfs, so
// `/proc/self/../self/environ` works and must be caught.
const PROC_ENVIRON_RE = /\/proc\/.*\/environ/
/**
* Newline followed by `#` in an argv element, env var value, or redirect target.
* Downstream stripSafeWrappers re-tokenizes .text line-by-line and treats `#`
* after a newline as a comment, hiding arguments that follow.
*/
const NEWLINE_HASH_RE = /\n[ \t]*#/
export type SemanticCheckResult = { ok: true } | { ok: false; reason: string }
/**
* Post-argv semantic checks. Run after parseForSecurity returns 'simple' to
* catch commands that tokenize fine but are dangerous by name or argument
* content. Returns the first failure or {ok: true}.
*/
export function checkSemantics(commands: SimpleCommand[]): SemanticCheckResult {
for (const cmd of commands) {
// Strip safe wrapper commands (nohup, time, timeout N, nice -n N) so
// `nohup eval "..."` and `timeout 5 jq 'system(...)'` are checked
// against the wrapped command, not the wrapper. Inlined here to avoid
// circular import with bashPermissions.ts.
let a = cmd.argv
for (;;) {
if (a[0] === 'time' || a[0] === 'nohup') {
a = a.slice(1)
} else if (a[0] === 'timeout') {
// `timeout 5`, `timeout 5s`, `timeout 5.5`, plus optional GNU flags
// preceding the duration. Long: --foreground, --kill-after=N,
// --signal=SIG, --preserve-status. Short: -k DUR, -s SIG, -v (also
// fused: -k5, -sTERM).
// SECURITY (SAST Mar 2026): the previous loop only skipped `--long`
// flags, so `timeout -k 5 10 eval ...` broke out with name='timeout'
// and the wrapped eval was never checked. Now handle known short
// flags AND fail closed on any unrecognized flag — an unknown flag
// means we can't locate the wrapped command, so we must not silently
// fall through to name='timeout'.
let i = 1
while (i < a.length) {
const arg = a[i]!
if (
arg === '--foreground' ||
arg === '--preserve-status' ||
arg === '--verbose'
) {
i++ // known no-value long flags
} else if (/^--(?:kill-after|signal)=[A-Za-z0-9_.+-]+$/.test(arg)) {
i++ // --kill-after=5, --signal=TERM (value fused with =)
} else if (
(arg === '--kill-after' || arg === '--signal') &&
a[i + 1] &&
/^[A-Za-z0-9_.+-]+$/.test(a[i + 1]!)
) {
i += 2 // --kill-after 5, --signal TERM (space-separated)
} else if (arg.startsWith('--')) {
// Unknown long flag, OR --kill-after/--signal with non-allowlisted
// value (e.g. placeholder from $() substitution). Fail closed.
return {
ok: false,
reason: `timeout with ${arg} flag cannot be statically analyzed`,
}
} else if (arg === '-v') {
i++ // --verbose, no argument
} else if (
(arg === '-k' || arg === '-s') &&
a[i + 1] &&
/^[A-Za-z0-9_.+-]+$/.test(a[i + 1]!)
) {
i += 2 // -k DURATION / -s SIGNAL — separate value
} else if (/^-[ks][A-Za-z0-9_.+-]+$/.test(arg)) {
i++ // fused: -k5, -sTERM
} else if (arg.startsWith('-')) {
// Unknown flag OR -k/-s with non-allowlisted value — can't locate
// wrapped cmd. Reject, don't fall through to name='timeout'.
return {
ok: false,
reason: `timeout with ${arg} flag cannot be statically analyzed`,
}
} else {
break // non-flag — should be the duration
}
}
if (a[i] && /^\d+(?:\.\d+)?[smhd]?$/.test(a[i]!)) {
a = a.slice(i + 1)
} else if (a[i]) {
// SECURITY (PR #21503 round 3): a[i] exists but doesn't match our
// duration regex. GNU timeout parses via xstrtod() (libc strtod) and
// accepts `.5`, `+5`, `5e-1`, `inf`, `infinity`, hex floats — none
// of which match `/^\d+(\.\d+)?[smhd]?$/`. Empirically verified:
// `timeout .5 echo ok` works. Previously this branch `break`ed
// (fail-OPEN) so `timeout .5 eval "id"` with `Bash(timeout:*)` left
// name='timeout' and eval was never checked. Now fail CLOSED —
// consistent with the unknown-FLAG handling above (lines ~1895,1912).
return {
ok: false,
reason: `timeout duration '${a[i]}' cannot be statically analyzed`,
}
} else {
break // no more args — `timeout` alone, inert
}
} else if (a[0] === 'nice') {
// `nice cmd`, `nice -n N cmd`, `nice -N cmd` (legacy). All run cmd
// at a lower priority. argv[0] check must see the wrapped cmd.
if (a[1] === '-n' && a[2] && /^-?\d+$/.test(a[2])) {
a = a.slice(3)
} else if (a[1] && /^-\d+$/.test(a[1])) {
a = a.slice(2) // `nice -10 cmd`
} else if (a[1] && /[$(`]/.test(a[1])) {
// SECURITY: walkArgument returns node.text for arithmetic_expansion,
// so `nice $((0-5)) jq ...` has a[1]='$((0-5))'. Bash expands it to
// '-5' (legacy nice syntax) and execs jq; we'd slice(1) here and
// set name='$((0-5))' which skips the jq system() check entirely.
// Fail closed — mirrors the timeout-duration fail-closed above.
return {
ok: false,
reason: `nice argument '${a[1]}' contains expansion — cannot statically determine wrapped command`,
}
} else {
a = a.slice(1) // bare `nice cmd`
}
} else if (a[0] === 'env') {
// `env [VAR=val...] [-i] [-0] [-v] [-u NAME...] cmd args` runs cmd.
// argv[0] check must see cmd, not env. Skip known-safe forms only.
// SECURITY: -S splits a string into argv (mini-shell) — must reject.
// -C/-P change cwd/PATH — wrapped cmd runs elsewhere, reject.
// Any OTHER flag → reject (fail-closed, not fail-open to name='env').
let i = 1
while (i < a.length) {
const arg = a[i]!
if (arg.includes('=') && !arg.startsWith('-')) {
i++ // VAR=val assignment
} else if (arg === '-i' || arg === '-0' || arg === '-v') {
i++ // flags with no argument
} else if (arg === '-u' && a[i + 1]) {
i += 2 // -u NAME unsets; takes one arg
} else if (arg.startsWith('-')) {
// -S (argv splitter), -C (altwd), -P (altpath), --anything,
// or unknown flag. Can't model — reject the whole command.
return {
ok: false,
reason: `env with ${arg} flag cannot be statically analyzed`,
}
} else {
break // the wrapped command
}
}
if (i < a.length) {
a = a.slice(i)
} else {
break // `env` alone (no wrapped cmd) — inert, name='env'
}
} else if (a[0] === 'stdbuf') {
// `stdbuf -o0 cmd` (fused), `stdbuf -o 0 cmd` (space-separated),
// multiple flags (`stdbuf -o0 -eL cmd`), long forms (`--output=0`).
// SECURITY: previous handling only stripped ONE flag and fell through
// to slice(2) for anything unrecognized, so `stdbuf --output 0 eval`
// → ['0','eval',...] → name='0' hid eval. Now iterate all known flag
// forms and fail closed on any unknown flag.
let i = 1
while (i < a.length) {
const arg = a[i]!
if (STDBUF_SHORT_SEP_RE.test(arg) && a[i + 1]) {
i += 2 // -o MODE (space-separated)
} else if (STDBUF_SHORT_FUSED_RE.test(arg)) {
i++ // -o0 (fused)
} else if (STDBUF_LONG_RE.test(arg)) {
i++ // --output=MODE (fused long)
} else if (arg.startsWith('-')) {
// --output MODE (space-separated long) or unknown flag. GNU
// stdbuf long options use `=` syntax, but getopt_long also
// accepts space-separated — we can't enumerate safely, reject.
return {
ok: false,
reason: `stdbuf with ${arg} flag cannot be statically analyzed`,
}
} else {
break // the wrapped command
}
}
if (i > 1 && i < a.length) {
a = a.slice(i)
} else {
break // `stdbuf` with no flags or no wrapped cmd — inert
}
} else {
break
}
}
const name = a[0]
if (name === undefined) continue
// SECURITY: Empty command name. Quoted empty (`"" cmd`) is harmless —
// bash tries to exec "" and fails with "command not found". But an
// UNQUOTED empty expansion at command position (`V="" && $V cmd`) is a
// bypass: bash drops the empty field and runs `cmd` as argv[0], while
// our name="" skips every builtin check below. resolveSimpleExpansion
// rejects the $V case; this catches any other path to empty argv[0]
// (concatenation of empties, walkString whitespace-quirk, future bugs).
if (name === '') {
return {
ok: false,
reason: 'Empty command name — argv[0] may not reflect what bash runs',
}
}
// Defense-in-depth: argv[0] should never be a placeholder after the
// var-tracking fix (static vars return real value, unknown vars reject).
// But if a bug upstream ever lets one through, catch it here — a
// placeholder-as-command-name means runtime-determined command → unsafe.
if (name.includes(CMDSUB_PLACEHOLDER) || name.includes(VAR_PLACEHOLDER)) {
return {
ok: false,
reason: 'Command name is runtime-determined (placeholder argv[0])',
}
}
// argv[0] starts with an operator/flag: this is a fragment, not a
// command. Likely a line-continuation leak or a mistake.
if (name.startsWith('-') || name.startsWith('|') || name.startsWith('&')) {
return {
ok: false,
reason: 'Command appears to be an incomplete fragment',
}
}
// SECURITY: builtins that re-parse a NAME operand internally. bash
// arithmetically evaluates `arr[EXPR]` in NAME position, running $(cmd)
// in the subscript even when the argv element arrived from a
// single-quoted raw_string (opaque leaf to tree-sitter). Two forms:
// separate (`printf -v NAME`) and fused (`printf -vNAME`, getopt-style).
// `printf '[%s]' x` stays safe — `[` in format string, not after `-v`.
const dangerFlags = SUBSCRIPT_EVAL_FLAGS[name]
if (dangerFlags !== undefined) {
for (let i = 1; i < a.length; i++) {
const arg = a[i]!
// Separate form: `-v` then NAME in next arg.
if (dangerFlags.has(arg) && a[i + 1]?.includes('[')) {
return {
ok: false,
reason: `'${name} ${arg}' operand contains array subscript — bash evaluates $(cmd) in subscripts`,
}
}
// Combined short flags: `-ra` is bash shorthand for `-r -a`.
// Check if any danger flag character appears in a combined flag
// string. The danger flag's NAME operand is the next argument.
if (
arg.length > 2 &&
arg[0] === '-' &&
arg[1] !== '-' &&
!arg.includes('[')
) {
for (const flag of dangerFlags) {
if (flag.length === 2 && arg.includes(flag[1]!)) {
if (a[i + 1]?.includes('[')) {
return {
ok: false,
reason: `'${name} ${flag}' (combined in '${arg}') operand contains array subscript — bash evaluates $(cmd) in subscripts`,
}
}
}
}
}
// Fused form: `-vNAME` in one arg. Only short-option flags fuse
// (getopt), so check -v/-a/-R. `[[` uses test_operator nodes only.
for (const flag of dangerFlags) {
if (
flag.length === 2 &&
arg.startsWith(flag) &&
arg.length > 2 &&
arg.includes('[')
) {
return {
ok: false,
reason: `'${name} ${flag}' (fused) operand contains array subscript — bash evaluates $(cmd) in subscripts`,
}
}
}
}
}
// SECURITY: `[[ ARG OP ARG ]]` arithmetic comparison. bash evaluates
// BOTH operands as arithmetic expressions, recursively expanding
// `arr[$(cmd)]` subscripts even from single-quoted raw_string. Check
// the operand adjacent to each arith-cmp operator on BOTH sides —
// SUBSCRIPT_EVAL_FLAGS's "flag then next-arg" pattern can't express
// "either side of a binary op". String comparisons (==/!=/=~) do NOT
// trigger arithmetic eval — `[[ 'a[x]' == y ]]` is a literal string cmp.
if (name === '[[') {
// i starts at 2: a[0]='[[' (contains '['), a[1] is the first real
// operand. A binary op can't appear before index 2.
for (let i = 2; i < a.length; i++) {
if (!TEST_ARITH_CMP_OPS.has(a[i]!)) continue
if (a[i - 1]?.includes('[') || a[i + 1]?.includes('[')) {
return {
ok: false,
reason: `'[[ ... ${a[i]} ... ]]' operand contains array subscript — bash arithmetically evaluates $(cmd) in subscripts`,
}
}
}
}
// SECURITY: `read`/`unset` treat EVERY bare positional as a NAME —
// no flag needed. `read 'a[$(id)]' <<< data` executes id even though
// argv[1] arrived from a single-quoted raw_string and no -a flag is
// present. Same primitive as SUBSCRIPT_EVAL_FLAGS but the trigger is
// positional, not flag-gated. Skip operands of read's data-taking
// flags (-p PROMPT etc.) to avoid blocking `read -p '[foo] ' var`.
if (BARE_SUBSCRIPT_NAME_BUILTINS.has(name)) {
let skipNext = false
for (let i = 1; i < a.length; i++) {
const arg = a[i]!
if (skipNext) {
skipNext = false
continue
}
if (arg[0] === '-') {
if (name === 'read') {
if (READ_DATA_FLAGS.has(arg)) {
skipNext = true
} else if (arg.length > 2 && arg[1] !== '-') {
// Combined short flag like `-rp`. Getopt-style: first
// data-flag char consumes rest-of-arg as its operand
// (`-p[foo]` → prompt=`[foo]`), or next-arg if last
// (`-rp '[foo]'` → prompt=`[foo]`). So skipNext iff a
// data-flag char appears at the END after only no-arg
// flags like `-r`/`-s`.
for (let j = 1; j < arg.length; j++) {
if (READ_DATA_FLAGS.has('-' + arg[j])) {
if (j === arg.length - 1) skipNext = true
break
}
}
}
}
continue
}
if (arg.includes('[')) {
return {
ok: false,
reason: `'${name}' positional NAME '${arg}' contains array subscript — bash evaluates $(cmd) in subscripts`,
}
}
}
}
// SECURITY: Shell reserved keywords as argv[0] indicate a tree-sitter
// mis-parse. `! for i in a; do :; done` parses as `command "for i in a"`
// + `command "do :"` + `command "done"` — tree-sitter fails to recognize
// `for` after `!` as a compound command start. Reject: keywords can never
// be legitimate command names, and argv like ['do','false'] is nonsense.
if (SHELL_KEYWORDS.has(name)) {
return {
ok: false,
reason: `Shell keyword '${name}' as command name — tree-sitter mis-parse`,
}
}
// Check argv (not .text) to catch both single-quote (`'\n#'`) and
// double-quote (`"\n#"`) variants. Env vars and redirects are also
// part of the .text span so the same downstream bug applies.
// Heredoc bodies are excluded from argv so markdown `##` headers
// don't trigger this.
// TODO: remove once downstream path validation operates on argv.
for (const arg of cmd.argv) {
if (arg.includes('\n') && NEWLINE_HASH_RE.test(arg)) {
return {
ok: false,
reason:
'Newline followed by # inside a quoted argument can hide arguments from path validation',
}
}
}
for (const ev of cmd.envVars) {
if (ev.value.includes('\n') && NEWLINE_HASH_RE.test(ev.value)) {
return {
ok: false,
reason:
'Newline followed by # inside an env var value can hide arguments from path validation',
}
}
}
for (const r of cmd.redirects) {
if (r.target.includes('\n') && NEWLINE_HASH_RE.test(r.target)) {
return {
ok: false,
reason:
'Newline followed by # inside a redirect target can hide arguments from path validation',
}
}
}
// jq's system() built-in executes arbitrary shell commands, and flags
// like --from-file can read arbitrary files into jq variables. On the
// legacy path these are caught by validateJqCommand in bashSecurity.ts,
// but that validator is gated behind `astSubcommands === null` and
// never runs when the AST parse succeeds. Mirror the checks here so
// the AST path has the same defence.
if (name === 'jq') {
for (const arg of a) {
if (/\bsystem\s*\(/.test(arg)) {
return {
ok: false,
reason:
'jq command contains system() function which executes arbitrary commands',
}
}
}
if (
a.some(arg =>
/^(?:-[fL](?:$|[^A-Za-z])|--(?:from-file|rawfile|slurpfile|library-path)(?:$|=))/.test(
arg,
),
)
) {
return {
ok: false,
reason:
'jq command contains dangerous flags that could execute code or read arbitrary files',
}
}
}
if (ZSH_DANGEROUS_BUILTINS.has(name)) {
return {
ok: false,
reason: `Zsh builtin '${name}' can bypass security checks`,
}
}
if (EVAL_LIKE_BUILTINS.has(name)) {
// `command -v foo` / `command -V foo` are POSIX existence checks that
// only print paths — they never execute argv[1]. Bare `command foo`
// does bypass function/alias lookup (the concern), so keep blocking it.
if (name === 'command' && (a[1] === '-v' || a[1] === '-V')) {
// fall through to remaining checks
} else if (
name === 'fc' &&
!a.slice(1).some(arg => /^-[^-]*[es]/.test(arg))
) {
// `fc -l`, `fc -ln` list history — safe. `fc -e ed` invokes an
// editor then executes. `fc -s [pat=rep]` RE-EXECUTES the last
// matching command (optionally with substitution) — as dangerous
// as eval. Block any short-opt containing `e` or `s`.
// to avoid introducing FPs for `fc -l` (list history).
} else if (
name === 'compgen' &&
!a.slice(1).some(arg => /^-[^-]*[CFW]/.test(arg))
) {
// `compgen -c/-f/-v` only list completions — safe. `compgen -C cmd`
// immediately executes cmd; `-F func` calls a shell function; `-W list`
// word-expands its argument (including $(cmd) even from single-quoted
// raw_string). Block any short-opt containing C/F/W (case-sensitive:
// -c/-f are safe).
} else {
return {
ok: false,
reason: `'${name}' evaluates arguments as shell code`,
}
}
}
// /proc/*/environ exposes env vars (including secrets) of other processes.
// Check argv and redirect targets — `cat /proc/self/environ` and
// `cat < /proc/self/environ` both read it.
for (const arg of cmd.argv) {
if (arg.includes('/proc/') && PROC_ENVIRON_RE.test(arg)) {
return {
ok: false,
reason: 'Accesses /proc/*/environ which may expose secrets',
}
}
}
for (const r of cmd.redirects) {
if (r.target.includes('/proc/') && PROC_ENVIRON_RE.test(r.target)) {
return {
ok: false,
reason: 'Accesses /proc/*/environ which may expose secrets',
}
}
}
}
return { ok: true }
}
Reference in New Issue View Git Blame Copy Permalink