S2 of the 2.1.181 upgrade. Schemas verified verbatim against the official
slash-commands and hooks docs before editing (a first-pass camelCase
'disallowedTools' claim was caught and corrected to kebab-case against the doc).
- CC-14 (SHIP): migrate all 7 hooks in hooks/hooks.json to exec-form
{command:"node", args:["${CLAUDE_PLUGIN_ROOT}/hooks/scripts/X.mjs"]}. Doc
recommends exec-form whenever a hook references a path placeholder; protects
consumers installing under a path with spaces. ${CLAUDE_PLUGIN_ROOT}
interpolates inside args (verified). hooks-json-stop-wired test made
form-agnostic (normalizes command+args to one invocation string).
- CC-11 (SHIP): add `disallowed-tools: Agent, TeamCreate` to trekexecute
frontmatter, enforcing its documented "No Agent tool, no TeamCreate" rule.
allowed-tools grants auto-approval but does NOT remove tools from the pool,
so the prior omission left Agent callable; disallowed-tools removes it.
trekexecute is the only command with a documented exclusion.
- CC-15 (DECIDE: keep universal): re-affirm F2 deferral. pre-bash/pre-write
executors stay universal -- session-agnostic safety (rm -rf /, ~/.ssh, .env)
that narrowing to execute-only would only weaken. Header comments corrected.
- CC-10 (DECIDE: design note, no code): no blanket Agent(model:opus) deny rule
-- would break balanced/economy profiles; any model-enforcement must be
profile-aware, deferred into W2. Folded into open question #3.
Matrix updated with S2 resolutions section. Tests 578 pass / 0 fail / 2 skip;
claude plugin validate passes (only pre-existing root-CLAUDE.md warning).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LqBYc8Ltrk7LipyJmGxXiB
251 lines
8.8 KiB
JavaScript
251 lines
8.8 KiB
JavaScript
#!/usr/bin/env node
|
|
// Hook: pre-bash-executor.mjs
|
|
// Event: PreToolUse (Bash)
|
|
// Purpose: Block or warn about destructive shell commands. Wired universally
|
|
// (every Voyage session, not just execution) by deliberate decision — these
|
|
// are session-agnostic safety rails (rm -rf /, fork bombs, …). The CC if:
|
|
// path-scoping mechanism now works, but narrowing to execute-only would only
|
|
// weaken protection with no offsetting benefit. See cc-upgrade matrix CC-15/F2.
|
|
//
|
|
// Protocol:
|
|
// - Read JSON from stdin: { tool_name, tool_input }
|
|
// - tool_input.command — the shell command string
|
|
// - BLOCK (exit 2): catastrophic/irreversible operations
|
|
// - WARN (exit 0): risky but recoverable operations — advisory to stderr
|
|
// - Allow (exit 0): everything else
|
|
//
|
|
// Based on llm-security's pre-bash-destructive.mjs with executor-specific additions.
|
|
// bash-normalize logic copied inline (MIT) — cannot import from separate plugin.
|
|
|
|
import { readFileSync } from 'node:fs';
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// Bash normalization (from llm-security/scanners/lib/bash-normalize.mjs)
|
|
// Strips bash evasion techniques: empty quotes, ${} expansion, backslash splitting.
|
|
// ---------------------------------------------------------------------------
|
|
function normalizeBashExpansion(cmd) {
|
|
if (!cmd || typeof cmd !== 'string') return cmd || '';
|
|
|
|
let result = cmd
|
|
// Strip empty single quotes: w''get -> wget
|
|
.replace(/''/g, '')
|
|
// Strip empty double quotes: r""m -> rm
|
|
.replace(/""/g, '')
|
|
// Single-char ${x} -> x (evasion: c${u}rl -> curl, assumes x=x)
|
|
.replace(/\$\{(\w)\}/g, '$1')
|
|
// Multi-char ${ANYTHING} -> '' (unknown value, strip entirely)
|
|
.replace(/\$\{[^}]*\}/g, '')
|
|
// Strip backtick subshell with empty/whitespace content
|
|
.replace(/`\s*`/g, '');
|
|
|
|
// Iteratively strip backslash between word chars (c\u\r\l needs 2 passes)
|
|
let prev;
|
|
do {
|
|
prev = result;
|
|
result = result.replace(/(\w)\\(\w)/g, '$1$2');
|
|
} while (result !== prev);
|
|
|
|
return result;
|
|
}
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// BLOCK rules — exit 2, command is not executed.
|
|
// ---------------------------------------------------------------------------
|
|
const BLOCK_RULES = [
|
|
{
|
|
name: 'Filesystem root/home destruction (rm -rf /)',
|
|
// Matches rm with both -r and -f flags targeting /, ~, or $HOME.
|
|
// Uses (?:\s|$) instead of \b because / and ~ are non-word chars.
|
|
pattern: /\brm\s+(?:-[a-zA-Z]*f[a-zA-Z]*\s+|--force\s+)*-[a-zA-Z]*r[a-zA-Z]*\s+(?:\/|~|\$HOME)(?:\s|$)/,
|
|
description:
|
|
'`rm -rf /`, `rm -rf ~`, and `rm -rf $HOME` would destroy the filesystem ' +
|
|
'or home directory. Unconditionally blocked.',
|
|
},
|
|
{
|
|
name: 'World-writable chmod (chmod 777)',
|
|
pattern: /\bchmod\s+(?:-[a-zA-Z]+\s+)*777\b/,
|
|
description:
|
|
'`chmod 777` grants full read/write/execute to all users. ' +
|
|
'Use minimal permissions (e.g. 644, 755).',
|
|
},
|
|
{
|
|
name: 'Pipe-to-shell (curl|bash, wget|sh)',
|
|
pattern: /(?:curl|wget)\b[^|]*\|\s*(?:bash|sh|zsh|ksh|dash)\b/,
|
|
description:
|
|
'Piping remote content into a shell allows arbitrary remote code execution. ' +
|
|
'Download first, review, then execute.',
|
|
},
|
|
{
|
|
name: 'Fork bomb',
|
|
pattern: /:\(\)\s*\{\s*:\s*\|\s*:&\s*\}\s*;?\s*:/,
|
|
description: 'Fork bomb — exhausts system process resources. Blocked.',
|
|
},
|
|
{
|
|
name: 'Filesystem format (mkfs)',
|
|
pattern: /\bmkfs(?:\.[a-z0-9]+)?\s/,
|
|
description: '`mkfs` formats a filesystem, destroying all data. Blocked.',
|
|
},
|
|
{
|
|
name: 'Raw disk overwrite via dd',
|
|
pattern: /\bdd\b[^&|;]*\bof=\/dev\/(?:sd|nvme|hd|vd|xvd|mmcblk)[a-z0-9]*/,
|
|
description: '`dd` writing to a raw block device destroys disk data. Blocked.',
|
|
},
|
|
{
|
|
name: 'Direct device write (> /dev/sd*)',
|
|
pattern: />\s*\/dev\/(?:sd|nvme|hd|vd|xvd|mmcblk)[a-z0-9]*/,
|
|
description: 'Shell redirection to a block device destroys disk data. Blocked.',
|
|
},
|
|
{
|
|
name: 'eval with variable/command expansion',
|
|
pattern: /\beval\s+(?:`|\$[\({]|"[^"]*\$)/,
|
|
description:
|
|
'`eval` with variable or command substitution is a code injection vector. ' +
|
|
'Refactor to use explicit commands.',
|
|
},
|
|
// --- Executor-specific additions ---
|
|
{
|
|
name: 'System shutdown/reboot',
|
|
pattern: /\b(?:shutdown|reboot|halt|poweroff)\b/,
|
|
description: 'System shutdown/reboot commands are blocked during execution.',
|
|
},
|
|
{
|
|
name: 'Cron persistence',
|
|
pattern: /\bcrontab\b|>\s*\/etc\/cron/,
|
|
description:
|
|
'Writing to crontab or /etc/cron* creates persistent scheduled tasks. ' +
|
|
'Blocked during execution.',
|
|
},
|
|
{
|
|
name: 'Base64-encoded execution',
|
|
pattern: /\bbase64\b[^|]*\|\s*(?:bash|sh|zsh)\b/,
|
|
description: 'Base64-decoded content piped to shell is obfuscated code execution. Blocked.',
|
|
},
|
|
{
|
|
name: 'Kill all processes (kill -9 -1)',
|
|
pattern: /\b(?:kill|pkill)\s+-9\s+-1\b/,
|
|
description: 'Killing all user processes with signal 9. Blocked.',
|
|
},
|
|
{
|
|
name: 'History destruction',
|
|
pattern: /\bhistory\s+-c\b|>\s*~\/\.bash_history\b|>\s*~\/\.zsh_history\b/,
|
|
description: 'Clearing shell history or truncating history files. Blocked.',
|
|
},
|
|
];
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// WARN rules — exit 0 with advisory message on stderr.
|
|
// ---------------------------------------------------------------------------
|
|
const WARN_RULES = [
|
|
{
|
|
name: 'Force push (git push --force)',
|
|
pattern: /\bgit\s+push\b[^|&;]*(?:--force|-f)\b/,
|
|
description:
|
|
'WARNING: `git push --force` rewrites remote history. Prefer `--force-with-lease`.',
|
|
},
|
|
{
|
|
name: 'Hard reset (git reset --hard)',
|
|
pattern: /\bgit\s+reset\s+--hard\b/,
|
|
description:
|
|
'WARNING: `git reset --hard` permanently discards uncommitted changes.',
|
|
},
|
|
{
|
|
name: 'Recursive remove (rm -rf, non-root)',
|
|
pattern: /\brm\s+(?:-[a-zA-Z]*f[a-zA-Z]*\s+|--force\s+)*-[a-zA-Z]*r[a-zA-Z]*\s+/,
|
|
description:
|
|
'WARNING: `rm -rf` permanently deletes files. Verify the target path.',
|
|
},
|
|
{
|
|
name: 'Docker system prune',
|
|
pattern: /\bdocker\s+system\s+prune\b/,
|
|
description:
|
|
'WARNING: `docker system prune` removes all stopped containers and unused images.',
|
|
},
|
|
{
|
|
name: 'npm publish',
|
|
pattern: /\bnpm\s+publish\b/,
|
|
description:
|
|
'WARNING: `npm publish` releases a package to the public registry.',
|
|
},
|
|
{
|
|
name: 'DROP TABLE or DROP DATABASE (SQL)',
|
|
pattern: /\bDROP\s+(?:TABLE|DATABASE|SCHEMA)\b/i,
|
|
description:
|
|
'WARNING: SQL DROP permanently deletes database objects.',
|
|
},
|
|
{
|
|
name: 'DELETE without WHERE (SQL)',
|
|
pattern: /\bDELETE\s+FROM\s+\w+(?:\s*;|\s*$)/i,
|
|
description:
|
|
'WARNING: DELETE FROM without WHERE deletes all rows.',
|
|
},
|
|
// --- Executor-specific additions ---
|
|
{
|
|
name: 'Dependency installation during execution',
|
|
pattern: /\b(?:npm\s+install\s+--save|pip3?\s+install\s+(?!-e\s+\.)|cargo\s+add)\b/,
|
|
description:
|
|
'WARNING: Installing dependencies during plan execution is unusual. ' +
|
|
'Verify this is intentional.',
|
|
},
|
|
];
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// Normalize: strip ANSI, collapse whitespace
|
|
// ---------------------------------------------------------------------------
|
|
function normalizeCommand(cmd) {
|
|
return cmd
|
|
.replace(/\x1B\[[0-9;]*m/g, '')
|
|
.replace(/\s+/g, ' ')
|
|
.trim();
|
|
}
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// Main
|
|
// ---------------------------------------------------------------------------
|
|
let input;
|
|
try {
|
|
const raw = readFileSync(0, 'utf-8');
|
|
input = JSON.parse(raw);
|
|
} catch {
|
|
// Cannot parse stdin — fail open.
|
|
process.exit(0);
|
|
}
|
|
|
|
const command = input?.tool_input?.command;
|
|
|
|
if (!command || typeof command !== 'string') {
|
|
process.exit(0);
|
|
}
|
|
|
|
// Strip bash evasion, then normalize whitespace
|
|
const deobfuscated = normalizeBashExpansion(command);
|
|
const normalized = normalizeCommand(deobfuscated);
|
|
|
|
// Check BLOCK rules first
|
|
for (const rule of BLOCK_RULES) {
|
|
if (rule.pattern.test(normalized)) {
|
|
process.stderr.write(
|
|
`[voyage] BLOCKED: ${rule.name}\n` +
|
|
` Command: ${normalized.slice(0, 200)}${normalized.length > 200 ? '...' : ''}\n` +
|
|
` ${rule.description}\n`
|
|
);
|
|
process.exit(2);
|
|
}
|
|
}
|
|
|
|
// Check WARN rules (advisory — still exit 0)
|
|
const warnings = [];
|
|
for (const rule of WARN_RULES) {
|
|
if (rule.pattern.test(normalized)) {
|
|
warnings.push(` [WARN] ${rule.name}: ${rule.description}`);
|
|
}
|
|
}
|
|
|
|
if (warnings.length > 0) {
|
|
process.stderr.write(
|
|
`[voyage] SECURITY ADVISORY: Potentially risky command.\n` +
|
|
` Command: ${normalized.slice(0, 200)}${normalized.length > 200 ? '...' : ''}\n` +
|
|
warnings.join('\n') + '\n'
|
|
);
|
|
}
|
|
|
|
process.exit(0);
|