Commit Graph

13 Commits

Author SHA1 Message Date
galz10 459db523e2 fix(core): secure shell execution with AST validation
Replaces simplistic prefix-matching for shell command policies with robust Abstract Syntax Tree (AST) parsing using `bash-parser`.

Previously, policies for shell tools only checked if the command string started with an allowed prefix (e.g., `echo`), allowing trivial bypasses via shell operators like `&&` or `;` (e.g., `echo "ok" && rm -rf /`).

This update secures the execution pipeline by parsing the shell string and validating *every* extracted sub-command against the allowed policies.

Key changes:
- Integrated `bash-parser` to synchronously extract executable commands from pipelines, lists, and subshells.
- Updated `doesToolInvocationMatch` to enforce policy on all extracted sub-commands instead of just the string prefix.
- Enforced `coreTools` validation at execution time within `ShellTool` to prevent bypasses when tools are configured via `settings.json`.
- Updated the CLI `useShellCommandProcessor` to run human-input commands through the AST `PolicyEngine` check before spawning the process.
- Fixed asynchronous test flakiness in the CLI package caused by the new policy enforcement.
2026-03-16 15:07:51 -07:00
nityam 28af4e127f fix: merge duplicate imports in packages/core (3/4) (#20928) 2026-03-04 00:12:59 +00:00
Dev Randalpura f3bbe6e77a fix(core): send shell output to model on cancel (#20501) 2026-03-03 22:10:16 +00:00
Christian Gunderman 7ca3a33f8b Subagent activity UX. (#17570) 2026-03-02 21:04:31 +00:00
Jerop Kipruto 9df604b01b feat(plan): hide plan write and edit operations on plans in Plan Mode (#19012) 2026-02-13 23:15:21 +00:00
Christian Gunderman fd65416a2f Disallow unsafe type assertions (#18688) 2026-02-10 00:10:15 +00:00
Abhi 5566292cc8 refactor(core): extract static concerns from CoreToolScheduler (#15589) 2025-12-26 20:51:39 +00:00
Christian Gunderman 942bcfc61e Disallow redundant typecasts. (#15030) 2025-12-13 01:43:43 +00:00
mistergarrison 2e6d69c9c8 Fix --allowed-tools in non-interactive mode to do substring matching for parity with interactive mode. (#10944)
Co-authored-by: Allen Hutchison <adh@google.com>
2025-10-15 19:44:07 +00:00
mistergarrison d9fdff339a Re-submission: Make --allowed-tools work in non-interactive mode (#10289)
Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: matt korwel <matt.korwel@gmail.com>
2025-10-06 19:15:21 +00:00
Gal Zahavi 24c15b9d43 Revert "Make --allowed-tools work in non-interactive mode" (#10006) 2025-09-26 16:22:02 -07:00
mistergarrison e8a065cb9f Make --allowed-tools work in non-interactive mode (#9114)
Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
2025-09-26 17:03:35 +00:00
Andrew Garrett 52dae2c583 feat(cli): Add --allowed-tools flag to bypass tool confirmation (#2417) (#6453) 2025-08-26 16:17:43 +00:00