fix: deny bash commands with arguments when command name matches rule#9257
Open
Ashwinhegde19 wants to merge 13 commits intoanomalyco:devfrom
Open
fix: deny bash commands with arguments when command name matches rule#9257Ashwinhegde19 wants to merge 13 commits intoanomalyco:devfrom
Ashwinhegde19 wants to merge 13 commits intoanomalyco:devfrom
Conversation
…ile.list Resolves a critical vulnerability where symlinks could be used to access files outside the project directory. Implemented `fs.promises.realpath` validation to ensure the actual target path is within the allowed scope. Added regression test in `packages/opencode/test/security/symlink.test.ts`.
…ile.list Resolves a critical vulnerability where symlinks could be used to access files outside the project directory. Implemented `fs.promises.realpath` validation to ensure the actual target path is within the allowed scope. Added regression test in `packages/opencode/test/security/symlink.test.ts`. Fixes anomalyco#101
fix(security): prevent path traversal via symlinks
…lyco#4997) - Fix Ctrl+C behavior on Windows: copies selection if present, otherwise clears/exits. - Resolve Ctrl+A conflict: move `model_provider_list` to `ctrl+alt+m`. - Fix Navigation: map `ctrl+n`/`ctrl+p` to move down/up and history next/prev. - Fix Multiline: ensure `shift+return` is mapped to newline. - Fix Word Navigation: ensure `ctrl+left`/`ctrl+right` are mapped. - Fix Word Deletion: ensure `alt+d` and `option+delete` are mapped.
fix(tui): resolve keybind conflicts and missing defaults
Fixes anomalyco#7063 When evaluating bash permissions, the system now checks both: 1. The full command pattern (e.g., 'yarn test') 2. The command name (first word, e.g., 'yarn') This ensures that when a user configures 'yarn: deny', commands like 'yarn test', 'yarn install', etc. are correctly denied, not just the exact 'yarn' command. The fix modifies the evaluate() function to extract the first word of bash commands and check if it matches any deny rules, preventing permission bypass via command arguments.
Contributor
|
The following comment was made by an LLM, it may be inaccurate: Based on my search, I found one potentially related PR: Related PR FoundPR #6737: "fix: handle redirected_statement treesitter node in bash permissions"
All other results either returned the current PR #9257 itself or unrelated PRs about GitHub actions and other features. The searches did not uncover any other open PRs specifically addressing the issue where denied bash commands with arguments are being incorrectly executed, so this appears to be the first comprehensive fix for issue #7063. |
opencode-agent
bot
force-pushed
the
dev
branch
from
00637c0 to
71e0ba2
Compare
thdxr
force-pushed
the
dev
branch
3 times, most recently
from
f1ae801 to
08fa7f7
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #7063 - Permission system allows explicitly denied bash commands to execute
Problem
Commands configured with 'deny' in opencode.json permissions were being executed anyway. Specifically, package managers (yarn, npm, pnpm, npx, pnpx) ran despite being explicitly denied.
Root Cause: When a user configures
"yarn": "deny", this creates a rule with pattern"yarn". However, the bash tool sends patterns like"yarn test"or"yarn install", which don't match the exact pattern"yarn"viaWildcard.match().Solution
Modified the
evaluate()function inpackages/opencode/src/permission/next.tsto add special handling for bash permissions:This ensures that when a user configures
yarn: deny, commands likeyarn test,yarn install, etc. are correctly denied.Changes
packages/opencode/src/permission/next.ts: Added bash-specific command name matching inevaluate()packages/opencode/test/permission/next.test.ts: Added 10 new tests for bash command name matchingTesting
All 92 permission tests pass, including 10 new tests specifically for this fix:
yarn testwithyarn: deny→ now correctly deniesnpm installwithnpm: deny→ now correctly deniespnpm run buildwithpnpm: deny→ now correctly deniesnpx create-react-appwithnpx: deny→ now correctly deniesExample Configuration That Now Works
{ "permissions": { "bash": { "yarn": "deny", "npm": "deny" } } }With this fix,
yarn test,yarn install,npm run build, etc. will all be correctly denied.