126 lines
3.4 KiB
Go
126 lines
3.4 KiB
Go
package permission
|
|
|
|
import (
|
|
"strings"
|
|
|
|
"reasonix/internal/shellparse"
|
|
"reasonix/internal/shellsafe"
|
|
)
|
|
|
|
// isReadOnlyBashSubject returns true when a bash command is a known read-only
|
|
// operation. The subject is the JSON arg value extracted by Subject() — for bash
|
|
// it is the raw command string. Command membership comes from the shared
|
|
// shellsafe tables (one source of truth with the plan-mode gate, #5341); the
|
|
// argument rigor below is permission-specific.
|
|
func isReadOnlyBashSubject(subject string) bool {
|
|
if normalized, ok := normalizeBashSafeRedirectsForMatch(subject); ok {
|
|
subject = normalized
|
|
}
|
|
base, sub, ok := shellsafe.CommandIsReadOnly(subject)
|
|
if !ok {
|
|
return false
|
|
}
|
|
fields, malformed := shellparse.StaticFields(subject)
|
|
if malformed != "" {
|
|
return false
|
|
}
|
|
if sub == "" {
|
|
return !hasUnsafeReadOnlyArgs(base, fields[1:])
|
|
}
|
|
return !hasUnsafePrefixArgs(base, sub, fields[2:])
|
|
}
|
|
|
|
// containsShellSyntax delegates to the shared classifier; retained for the other
|
|
// permission call sites (permission.go).
|
|
func containsShellSyntax(cmd string) bool {
|
|
return shellsafe.ContainsShellSyntax(cmd)
|
|
}
|
|
|
|
func hasUnsafeReadOnlyArgs(base string, args []string) bool {
|
|
switch base {
|
|
case "find":
|
|
return hasAnyArg(args, "-exec", "-execdir", "-delete", "-ok", "-okdir", "-fls", "-fprint", "-fprint0", "-fprintf")
|
|
case "sed":
|
|
for _, arg := range args {
|
|
if strings.HasPrefix(arg, "-i") || strings.HasPrefix(arg, "--in-place") {
|
|
return true
|
|
}
|
|
}
|
|
case "sort":
|
|
return hasArgWithPrefix(args, "-o") || hasAnyArg(args, "--output") || hasArgWithPrefix(args, "--output=")
|
|
}
|
|
return false
|
|
}
|
|
|
|
func hasUnsafePrefixArgs(base, subcmd string, args []string) bool {
|
|
switch base {
|
|
case "git":
|
|
switch subcmd {
|
|
case "diff", "show", "log":
|
|
return hasAnyArg(args, "--output") || hasArgWithPrefix(args, "--output=")
|
|
}
|
|
case "go":
|
|
if subcmd == "env" {
|
|
return hasAnyArg(args, "-w", "-u")
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
func hasArgWithPrefix(args []string, prefix string) bool {
|
|
for _, arg := range args {
|
|
if strings.HasPrefix(arg, prefix) {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
func hasAnyArg(args []string, unsafe ...string) bool {
|
|
for _, arg := range args {
|
|
for _, candidate := range unsafe {
|
|
if arg == candidate {
|
|
return true
|
|
}
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
// dangerousBashPatterns are glob-like patterns that match destructive
|
|
// commands. Used only for a UI warning — the deny list is the actual
|
|
// enforcement mechanism.
|
|
var dangerousBashPatterns = []struct {
|
|
pattern string
|
|
label string
|
|
}{
|
|
{"rm -rf*", "recursive delete"},
|
|
{"rm -r *", "recursive delete"},
|
|
{"rm -fr*", "recursive delete"},
|
|
{"git push*--force*", "force push"},
|
|
{"git push*-f*", "force push"},
|
|
{"git reset --hard*", "hard reset"},
|
|
{"git clean -f*", "force clean"},
|
|
{"chmod 777*", "world-writable"},
|
|
{"chmod -R 777*", "world-writable recursive"},
|
|
{"chown *", "ownership change"},
|
|
{"sudo *", "superuser"},
|
|
{"mkfs*", "filesystem format"},
|
|
{"dd if=*", "raw device write"},
|
|
{"fdisk*", "partition table"},
|
|
{"> /dev/*", "device overwrite"},
|
|
}
|
|
|
|
// BashDangerWarning returns a short label if subject matches a known
|
|
// dangerous pattern, or "" when the command looks safe. This is a visual
|
|
// hint only — the Policy rules are the authority.
|
|
func BashDangerWarning(subject string) string {
|
|
s := strings.TrimSpace(subject)
|
|
for _, d := range dangerousBashPatterns {
|
|
if matchGlob(d.pattern, s) {
|
|
return d.label
|
|
}
|
|
}
|
|
return ""
|
|
}
|