#!/usr/bin/env node // Hook: pre-bash-executor.mjs // Event: PreToolUse (Bash) // Purpose: Block or warn about destructive shell commands during plan execution. // // Protocol: // - Read JSON from stdin: { tool_name, tool_input } // - tool_input.command — the shell command string // - BLOCK (exit 2): catastrophic/irreversible operations // - WARN (exit 0): risky but recoverable operations — advisory to stderr // - Allow (exit 0): everything else // // Based on llm-security's pre-bash-destructive.mjs with executor-specific additions. // bash-normalize logic copied inline (MIT) — cannot import from separate plugin. import { readFileSync } from 'node:fs'; // --------------------------------------------------------------------------- // Bash normalization (from llm-security/scanners/lib/bash-normalize.mjs) // Strips bash evasion techniques: empty quotes, ${} expansion, backslash splitting. // --------------------------------------------------------------------------- function normalizeBashExpansion(cmd) { if (!cmd || typeof cmd !== 'string') return cmd || ''; let result = cmd // Strip empty single quotes: w''get -> wget .replace(/''/g, '') // Strip empty double quotes: r""m -> rm .replace(/""/g, '') // Single-char ${x} -> x (evasion: c${u}rl -> curl, assumes x=x) .replace(/\$\{(\w)\}/g, '$1') // Multi-char ${ANYTHING} -> '' (unknown value, strip entirely) .replace(/\$\{[^}]*\}/g, '') // Strip backtick subshell with empty/whitespace content .replace(/`\s*`/g, ''); // Iteratively strip backslash between word chars (c\u\r\l needs 2 passes) let prev; do { prev = result; result = result.replace(/(\w)\\(\w)/g, '$1$2'); } while (result !== prev); return result; } // --------------------------------------------------------------------------- // BLOCK rules — exit 2, command is not executed. // --------------------------------------------------------------------------- const BLOCK_RULES = [ { name: 'Filesystem root/home destruction (rm -rf /)', // Matches rm with both -r and -f flags targeting /, ~, or $HOME. // Uses (?:\s|$) instead of \b because / and ~ are non-word chars. pattern: /\brm\s+(?:-[a-zA-Z]*f[a-zA-Z]*\s+|--force\s+)*-[a-zA-Z]*r[a-zA-Z]*\s+(?:\/|~|\$HOME)(?:\s|$)/, description: '`rm -rf /`, `rm -rf ~`, and `rm -rf $HOME` would destroy the filesystem ' + 'or home directory. Unconditionally blocked.', }, { name: 'World-writable chmod (chmod 777)', pattern: /\bchmod\s+(?:-[a-zA-Z]+\s+)*777\b/, description: '`chmod 777` grants full read/write/execute to all users. ' + 'Use minimal permissions (e.g. 644, 755).', }, { name: 'Pipe-to-shell (curl|bash, wget|sh)', pattern: /(?:curl|wget)\b[^|]*\|\s*(?:bash|sh|zsh|ksh|dash)\b/, description: 'Piping remote content into a shell allows arbitrary remote code execution. ' + 'Download first, review, then execute.', }, { name: 'Fork bomb', pattern: /:\(\)\s*\{\s*:\s*\|\s*:&\s*\}\s*;?\s*:/, description: 'Fork bomb — exhausts system process resources. Blocked.', }, { name: 'Filesystem format (mkfs)', pattern: /\bmkfs(?:\.[a-z0-9]+)?\s/, description: '`mkfs` formats a filesystem, destroying all data. Blocked.', }, { name: 'Raw disk overwrite via dd', pattern: /\bdd\b[^&|;]*\bof=\/dev\/(?:sd|nvme|hd|vd|xvd|mmcblk)[a-z0-9]*/, description: '`dd` writing to a raw block device destroys disk data. Blocked.', }, { name: 'Direct device write (> /dev/sd*)', pattern: />\s*\/dev\/(?:sd|nvme|hd|vd|xvd|mmcblk)[a-z0-9]*/, description: 'Shell redirection to a block device destroys disk data. Blocked.', }, { name: 'eval with variable/command expansion', pattern: /\beval\s+(?:`|\$[\({]|"[^"]*\$)/, description: '`eval` with variable or command substitution is a code injection vector. ' + 'Refactor to use explicit commands.', }, // --- Executor-specific additions --- { name: 'System shutdown/reboot', pattern: /\b(?:shutdown|reboot|halt|poweroff)\b/, description: 'System shutdown/reboot commands are blocked during execution.', }, { name: 'Cron persistence', pattern: /\bcrontab\b|>\s*\/etc\/cron/, description: 'Writing to crontab or /etc/cron* creates persistent scheduled tasks. ' + 'Blocked during execution.', }, { name: 'Base64-encoded execution', pattern: /\bbase64\b[^|]*\|\s*(?:bash|sh|zsh)\b/, description: 'Base64-decoded content piped to shell is obfuscated code execution. Blocked.', }, { name: 'Kill all processes (kill -9 -1)', pattern: /\b(?:kill|pkill)\s+-9\s+-1\b/, description: 'Killing all user processes with signal 9. Blocked.', }, { name: 'History destruction', pattern: /\bhistory\s+-c\b|>\s*~\/\.bash_history\b|>\s*~\/\.zsh_history\b/, description: 'Clearing shell history or truncating history files. Blocked.', }, ]; // --------------------------------------------------------------------------- // WARN rules — exit 0 with advisory message on stderr. // --------------------------------------------------------------------------- const WARN_RULES = [ { name: 'Force push (git push --force)', pattern: /\bgit\s+push\b[^|&;]*(?:--force|-f)\b/, description: 'WARNING: `git push --force` rewrites remote history. Prefer `--force-with-lease`.', }, { name: 'Hard reset (git reset --hard)', pattern: /\bgit\s+reset\s+--hard\b/, description: 'WARNING: `git reset --hard` permanently discards uncommitted changes.', }, { name: 'Recursive remove (rm -rf, non-root)', pattern: /\brm\s+(?:-[a-zA-Z]*f[a-zA-Z]*\s+|--force\s+)*-[a-zA-Z]*r[a-zA-Z]*\s+/, description: 'WARNING: `rm -rf` permanently deletes files. Verify the target path.', }, { name: 'Docker system prune', pattern: /\bdocker\s+system\s+prune\b/, description: 'WARNING: `docker system prune` removes all stopped containers and unused images.', }, { name: 'npm publish', pattern: /\bnpm\s+publish\b/, description: 'WARNING: `npm publish` releases a package to the public registry.', }, { name: 'DROP TABLE or DROP DATABASE (SQL)', pattern: /\bDROP\s+(?:TABLE|DATABASE|SCHEMA)\b/i, description: 'WARNING: SQL DROP permanently deletes database objects.', }, { name: 'DELETE without WHERE (SQL)', pattern: /\bDELETE\s+FROM\s+\w+(?:\s*;|\s*$)/i, description: 'WARNING: DELETE FROM without WHERE deletes all rows.', }, // --- Executor-specific additions --- { name: 'Dependency installation during execution', pattern: /\b(?:npm\s+install\s+--save|pip3?\s+install\s+(?!-e\s+\.)|cargo\s+add)\b/, description: 'WARNING: Installing dependencies during plan execution is unusual. ' + 'Verify this is intentional.', }, ]; // --------------------------------------------------------------------------- // Normalize: strip ANSI, collapse whitespace // --------------------------------------------------------------------------- function normalizeCommand(cmd) { return cmd .replace(/\x1B\[[0-9;]*m/g, '') .replace(/\s+/g, ' ') .trim(); } // --------------------------------------------------------------------------- // Main // --------------------------------------------------------------------------- let input; try { const raw = readFileSync(0, 'utf-8'); input = JSON.parse(raw); } catch { // Cannot parse stdin — fail open. process.exit(0); } const command = input?.tool_input?.command; if (!command || typeof command !== 'string') { process.exit(0); } // Strip bash evasion, then normalize whitespace const deobfuscated = normalizeBashExpansion(command); const normalized = normalizeCommand(deobfuscated); // Check BLOCK rules first for (const rule of BLOCK_RULES) { if (rule.pattern.test(normalized)) { process.stderr.write( `[voyage] BLOCKED: ${rule.name}\n` + ` Command: ${normalized.slice(0, 200)}${normalized.length > 200 ? '...' : ''}\n` + ` ${rule.description}\n` ); process.exit(2); } } // Check WARN rules (advisory — still exit 0) const warnings = []; for (const rule of WARN_RULES) { if (rule.pattern.test(normalized)) { warnings.push(` [WARN] ${rule.name}: ${rule.description}`); } } if (warnings.length > 0) { process.stderr.write( `[voyage] SECURITY ADVISORY: Potentially risky command.\n` + ` Command: ${normalized.slice(0, 200)}${normalized.length > 200 ? '...' : ''}\n` + warnings.join('\n') + '\n' ); } process.exit(0);