mirror of
https://github.com/openai/codex.git
synced 2026-05-24 13:04:29 +00:00
4f96001fa7
## Why On Windows, Codex runs shell commands through a top-level `powershell.exe -NoProfile -Command ...` wrapper. `execpolicy` was matching that wrapper instead of the inner command, so prefix rules like `["git", "push"]` did not fire for PowerShell-wrapped commands even though the same normalization already happens for `bash -lc` on Unix. This change makes the Windows shell wrapper transparent to rule matching while preserving the existing Windows unmatched-command safelist and dangerous-command heuristics. ## What changed - add `parse_powershell_command_plain_commands()` in `shell-command/src/powershell.rs` to unwrap the top-level PowerShell `-Command` body with `extract_powershell_command()` and parse it with the existing PowerShell AST parser - update `core/src/exec_policy.rs` so `commands_for_exec_policy()` treats top-level PowerShell wrappers like `bash -lc` and evaluates rules against the parsed inner commands - carry a small `ExecPolicyCommandOrigin` through unmatched-command evaluation and expose `is_safe_powershell_words()` / `is_dangerous_powershell_words()` so Windows safelist and dangerous-command checks still work after unwrap - add Windows-focused tests for wrapped PowerShell prompt/allow matches, wrapper parsing, and unmatched safe/dangerous inner commands, and re-enable the end-to-end `execpolicy_blocks_shell_invocation` test on Windows ## Testing - `cargo test -p codex-shell-command`
220 lines
6.3 KiB
Rust
220 lines
6.3 KiB
Rust
use crate::bash::parse_shell_lc_plain_commands;
|
|
use std::path::Path;
|
|
#[cfg(windows)]
|
|
#[path = "windows_dangerous_commands.rs"]
|
|
mod windows_dangerous_commands;
|
|
|
|
pub fn command_might_be_dangerous(command: &[String]) -> bool {
|
|
#[cfg(windows)]
|
|
{
|
|
if windows_dangerous_commands::is_dangerous_command_windows(command) {
|
|
return true;
|
|
}
|
|
}
|
|
|
|
if is_dangerous_to_call_with_exec(command) {
|
|
return true;
|
|
}
|
|
|
|
// Support `bash -lc "<script>"` where the any part of the script might contain a dangerous command.
|
|
if let Some(all_commands) = parse_shell_lc_plain_commands(command)
|
|
&& all_commands
|
|
.iter()
|
|
.any(|cmd| is_dangerous_to_call_with_exec(cmd))
|
|
{
|
|
return true;
|
|
}
|
|
|
|
false
|
|
}
|
|
|
|
/// Returns whether already-tokenized PowerShell words should be treated as
|
|
/// dangerous by the Windows unmatched-command heuristics.
|
|
pub fn is_dangerous_powershell_words(command: &[String]) -> bool {
|
|
#[cfg(windows)]
|
|
{
|
|
windows_dangerous_commands::is_dangerous_powershell_words(command)
|
|
}
|
|
|
|
#[cfg(not(windows))]
|
|
{
|
|
let _ = command;
|
|
false
|
|
}
|
|
}
|
|
|
|
fn is_git_global_option_with_value(arg: &str) -> bool {
|
|
matches!(
|
|
arg,
|
|
"-C" | "-c"
|
|
| "--config-env"
|
|
| "--exec-path"
|
|
| "--git-dir"
|
|
| "--namespace"
|
|
| "--super-prefix"
|
|
| "--work-tree"
|
|
)
|
|
}
|
|
|
|
fn is_git_global_option_with_inline_value(arg: &str) -> bool {
|
|
matches!(
|
|
arg,
|
|
s if s.starts_with("--config-env=")
|
|
|| s.starts_with("--exec-path=")
|
|
|| s.starts_with("--git-dir=")
|
|
|| s.starts_with("--namespace=")
|
|
|| s.starts_with("--super-prefix=")
|
|
|| s.starts_with("--work-tree=")
|
|
) || ((arg.starts_with("-C") || arg.starts_with("-c")) && arg.len() > 2)
|
|
}
|
|
|
|
/// Git global options that can redirect config, repository, or helper lookup
|
|
/// and therefore must never be auto-approved as "safe".
|
|
pub(crate) fn git_global_option_requires_prompt(arg: &str) -> bool {
|
|
matches!(
|
|
arg,
|
|
// `-C` can redirect Git into a repo whose config runs helpers such as
|
|
// `core.fsmonitor` during read-only commands like `status`.
|
|
"-C" | "-c"
|
|
| "--config-env"
|
|
| "--exec-path"
|
|
| "--git-dir"
|
|
| "--namespace"
|
|
| "--super-prefix"
|
|
| "--work-tree"
|
|
) || matches!(
|
|
arg,
|
|
s if ((s.starts_with("-C") || s.starts_with("-c")) && s.len() > 2)
|
|
|| s.starts_with("--config-env=")
|
|
|| s.starts_with("--exec-path=")
|
|
|| s.starts_with("--git-dir=")
|
|
|| s.starts_with("--namespace=")
|
|
|| s.starts_with("--super-prefix=")
|
|
|| s.starts_with("--work-tree=")
|
|
)
|
|
}
|
|
|
|
pub(crate) fn executable_name_lookup_key(raw: &str) -> Option<String> {
|
|
#[cfg(windows)]
|
|
{
|
|
Path::new(raw)
|
|
.file_name()
|
|
.and_then(|name| name.to_str())
|
|
.map(|name| {
|
|
let name = name.to_ascii_lowercase();
|
|
for suffix in [".exe", ".cmd", ".bat", ".com"] {
|
|
if let Some(stripped) = name.strip_suffix(suffix) {
|
|
return stripped.to_string();
|
|
}
|
|
}
|
|
name
|
|
})
|
|
}
|
|
|
|
#[cfg(not(windows))]
|
|
{
|
|
Path::new(raw)
|
|
.file_name()
|
|
.and_then(|name| name.to_str())
|
|
.map(std::borrow::ToOwned::to_owned)
|
|
}
|
|
}
|
|
|
|
/// Find the first matching git subcommand, skipping known global options that
|
|
/// may appear before it (e.g., `-C`, `-c`, `--git-dir`).
|
|
///
|
|
/// Shared with `is_safe_command` to avoid git-global-option bypasses.
|
|
pub(crate) fn find_git_subcommand<'a>(
|
|
command: &'a [String],
|
|
subcommands: &[&str],
|
|
) -> Option<(usize, &'a str)> {
|
|
let cmd0 = command.first().map(String::as_str)?;
|
|
if executable_name_lookup_key(cmd0).as_deref() != Some("git") {
|
|
return None;
|
|
}
|
|
|
|
let mut skip_next = false;
|
|
for (idx, arg) in command.iter().enumerate().skip(1) {
|
|
if skip_next {
|
|
skip_next = false;
|
|
continue;
|
|
}
|
|
|
|
let arg = arg.as_str();
|
|
|
|
if is_git_global_option_with_inline_value(arg) {
|
|
continue;
|
|
}
|
|
|
|
if is_git_global_option_with_value(arg) {
|
|
skip_next = true;
|
|
continue;
|
|
}
|
|
|
|
if arg == "--" || arg.starts_with('-') {
|
|
continue;
|
|
}
|
|
|
|
if subcommands.contains(&arg) {
|
|
return Some((idx, arg));
|
|
}
|
|
|
|
// In git, the first non-option token is the subcommand. If it isn't
|
|
// one of the subcommands we're looking for, we must stop scanning to
|
|
// avoid misclassifying later positional args (e.g., branch names).
|
|
return None;
|
|
}
|
|
|
|
None
|
|
}
|
|
|
|
fn is_dangerous_to_call_with_exec(command: &[String]) -> bool {
|
|
let cmd0 = command.first().map(String::as_str);
|
|
|
|
match cmd0 {
|
|
Some("rm") => matches!(command.get(1).map(String::as_str), Some("-f" | "-rf")),
|
|
|
|
// for sudo <cmd> simply do the check for <cmd>
|
|
Some("sudo") => is_dangerous_to_call_with_exec(&command[1..]),
|
|
|
|
// ── anything else ─────────────────────────────────────────────────
|
|
_ => false,
|
|
}
|
|
}
|
|
|
|
#[cfg(test)]
|
|
mod tests {
|
|
use super::*;
|
|
|
|
fn vec_str(items: &[&str]) -> Vec<String> {
|
|
items.iter().map(std::string::ToString::to_string).collect()
|
|
}
|
|
|
|
#[test]
|
|
fn rm_rf_is_dangerous() {
|
|
assert!(command_might_be_dangerous(&vec_str(&["rm", "-rf", "/"])));
|
|
}
|
|
|
|
#[test]
|
|
fn rm_f_is_dangerous() {
|
|
assert!(command_might_be_dangerous(&vec_str(&["rm", "-f", "/"])));
|
|
}
|
|
|
|
#[test]
|
|
fn git_dash_c_requires_prompt() {
|
|
assert!(git_global_option_requires_prompt("-C"));
|
|
assert!(git_global_option_requires_prompt("-C/path/to/repo"));
|
|
}
|
|
|
|
#[test]
|
|
fn direct_powershell_words_reuse_windows_dangerous_detection() {
|
|
let command = vec_str(&["Remove-Item", "test", "-Force"]);
|
|
|
|
if cfg!(windows) {
|
|
assert!(is_dangerous_powershell_words(&command));
|
|
} else {
|
|
assert!(!is_dangerous_powershell_words(&command));
|
|
}
|
|
}
|
|
}
|