Skip to content

Comments

feat(tools): harden shell command detection against bypass vectors#668

Merged
bug-ops merged 1 commit intomainfrom
feat/618-shell-hardening
Feb 19, 2026
Merged

feat(tools): harden shell command detection against bypass vectors#668
bug-ops merged 1 commit intomainfrom
feat/618-shell-hardening

Conversation

@bug-ops
Copy link
Owner

@bug-ops bug-ops commented Feb 19, 2026
edited
Loading

Summary

  • Replace substring-based blocked command matching with tokenizer pipeline that normalizes shell escape sequences (backslash, hex $'\xNN', octal $'\NNN', quote splitting) and splits on shell operators before word-boundary matching
  • Extract basename from absolute paths so /usr/bin/sudo is correctly blocked
  • Skip transparent wrapper prefixes (env, command, exec, nice, nohup, time, xargs) to detect actual command
  • Use std::path::absolute() as fallback when canonicalize() fails on non-existent paths in sandbox validation
  • Add $( and backtick subshell expressions to default confirm patterns
  • Fix false positive: "sudoku" no longer matched by "sudo" pattern

Test plan

  • 382/382 unit tests pass (cargo nextest run -p zeph-tools --lib)
  • Bypass vectors validated: backslash insertion, hex/octal escapes, quote splitting, pipe chains, absolute paths, transparent wrappers
  • No regressions in sandbox validation or existing blocked command tests
  • cargo +nightly fmt --check clean
  • cargo clippy --workspace -- -D warnings clean
  • Security audit passed (AUDIT-01, AUDIT-02, AUDIT-03 addressed)

Closes #618,Closes #628,Closes #629

@bug-ops
feat(tools): harden shell command detection against bypass vectors
e5ead29 
Replace substring-based blocked command matching with tokenizer pipeline:
strip_shell_escapes normalizes backslash, hex/octal ($'\xNN'/'\NNN'),
and quote-split bypasses; tokenize_commands splits on pipes, operators,
and semicolons; tokens_match_pattern performs word-boundary matching
with basename extraction and transparent prefix skipping.

Use std::path::absolute() as canonicalize fallback for non-existent
paths in sandbox validation.

Closes #618
@github-actions github-actions bot added enhancement New feature or request documentation Improvements or additions to documentation rust size/L and removed enhancement New feature or request labels Feb 19, 2026
@bug-ops bug-ops enabled auto-merge (squash) February 19, 2026 22:57
@bug-ops bug-ops merged commit bda2402 into main Feb 19, 2026
23 checks passed
@bug-ops bug-ops deleted the feat/618-shell-hardening branch February 19, 2026 23:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation enhancement New feature or request rust size/L

Projects

None yet

Milestone

No milestone

1 participant

@bug-ops