Implement POSIX test and [ builtin commands#23
Implement POSIX test and [ builtin commands#23gh-worker-dd-mergequeue-cf854d[bot] merged 23 commits intomainfrom
Conversation
Co-authored-by: AlexandreYang <49917914+AlexandreYang@users.noreply.github.com>
|
Bits Dev status: ✅ Done Comment @DataDog to request changes |
|
@codex review |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8e590d16e3
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
…d copyright headers Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…rands Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…l.Access Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: bfdd72b494
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
[Security Audit] LOW: TOCTOU Between This is an inherent limitation of the Mitigating factors: Both the test and the subsequent operation are independently validated through Remediation: No action required. Defense-in-depth from |
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Fix -w/-x to check effective UID/GID permission class (owner/group/other) instead of any-class mode bits. Uses syscall.Stat_t on Unix; falls back to any-class bits on Windows. - Add pentest tests for 1000+ deep nesting, null bytes in file paths, 100KB string arguments, and 100KB file paths. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
✅ Code Quality ✅ Code Vulnerabilities ✅ Library Vulnerabilities ✅ Secrets 🎉 All green!🛠️ No new code quality issues 🔗 Commit SHA: 619d206 | Docs | Datadog PR Page | Was this helpful? React with 👍/👎 or give us feedback! |
![datadog-official[bot]](https://avatars.githubusercontent.com/in/1358509?s=60&v=4){kind=small}
matt-dz
left a comment
matt-dz
left a comment
There was a problem hiding this comment.
Security Audit — POSIX test and [ Builtins
Overall Risk: LOW — No sandbox escape vectors identified.
| # | Severity | Finding | File |
|---|---|---|---|
| 1 | Medium | Unbounded recursion via ! operator (no depth limit) |
testcmd.go:254 |
| 2 | Medium | TOCTOU window between Open() and Stat() in access() |
allowed_paths.go:100-113 |
| 3 | Low | effectiveHasPerm only checks primary GID, not supplementary groups |
portable_unix.go:45 |
| 4 | Low | Raw OS errors returned from stat/lstat/access API (mitigated in test by silent error swallowing) |
allowed_paths.go |
Positive Observations
os.Rootsandbox (Go 1.24openatsyscalls) is immune to symlink traversal and../escape — excellent design- Import allowlist enforced at AST level prevents builtins from importing
os,exec,net, etc. - Empty path handling correctly returns
falsebefore any filesystem access - Paren depth limiting properly capped at 128 with pentest coverage
- Integer overflow correctly handled — clamped to
MinInt64/MaxInt64, base-10 only - Error messages silently suppressed in file tests, preventing information leakage
- Comprehensive pentest test suite covering path traversal, null bytes, deep nesting, integer edge cases
Nice work overall — the defense-in-depth layering is solid. See inline comments for details on each finding.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- S1: Add depth limit to parseNot() recursion via existing depth counter - S2: Fix TOCTOU in access() by using f.Stat() on open fd instead of separate ar.root.Stat() call; wrap errors with portablePathError() - S3: Check supplementary groups in effectiveHasPerm via os.Getgroups() - S4: Wrap raw OS errors with portablePathError() in access() (done as part of S2 fix) - Simplify boolean expression in portable_windows.go (Datadog code quality) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The builtins.Command struct uses MakeFlags (not Run). Updated test and [ command registrations to use builtins.NoFlags(handler) matching the pattern used by all other builtins. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- access(): fall through to Stat path when Open() fails on a directory (isErrIsDirectory), fixing test -r <dir> on Windows - evalFileTest(): add nil guards for StatFile/LstatFile callbacks, matching the existing AccessFile nil check pattern Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…cket-builtins # Conflicts: # interp/register_builtins.go # tests/import_allowlist_test.go
| "github.com/spf13/pflag.ContinueOnError", | ||
| // pflag.NewFlagSet — CLI flag parsing; operates only on string slices, no I/O. | ||
| "github.com/spf13/pflag.NewFlagSet", |
There was a problem hiding this comment.
those should be removed
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
thieman
left a comment
thieman
left a comment
There was a problem hiding this comment.
Changes to the fs sandbox and import allowlist look good
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
/merge |
|
View all feedbacks in Devflow UI.
The expected merge time in
|
gh-worker-dd-devflow-36fce6
Bot
added
mergequeue-status: queued
mergequeue-status: in_progress
and removed
mergequeue-status: queued
labels
gh-worker-dd-mergequeue-cf854d
Bot
deleted the
dd/implement-test-bracket-builtins
branch
gh-worker-dd-devflow-36fce6
Bot
added
mergequeue-status: done
and removed
mergequeue-status: in_progress
labels
3 participants
What does this PR do?
Implements the POSIX
testand[builtin commands as a newtestcmdpackage. These commands evaluate conditional expressions and return exit code 0 (true), 1 (false), or 2 (syntax error).Also adds
StatFileandLstatFilecapabilities toCallContextbacked by sandboxedos.Root.Stat/os.Root.Lstatoperations, enabling file metadata queries without bypassing the path sandbox.Motivation
The
test/[commands are fundamental POSIX shell builtins needed for conditional logic (e.g.,test -f file && echo exists,[ "$x" = "y" ] && ...). They are essential for AI agent scripts that need to check file existence, compare strings/integers, and make decisions based on conditions.Testing
testcmd_test.go,testcmd_gnu_compat_test.go)/dev/null), path traversal, empty filenames, context timeouts, nested parentheses, and large argument countsgo test ./interp/... ./tests/...go vetclean,gofmtappliedChecklist
PR by Bits
View session in Datadog
Comment @DataDog to request changes