ai_agent/tools/powershell/

read_only_validation.rs

// Source: /data/home/swei/claudecode/openclaudecode/src/tools/PowerShellTool/readOnlyValidation.ts
//! PowerShell read-only command validation.
//!
//! Cmdlets are case-insensitive; all matching is done in lowercase.

use once_cell::sync::Lazy;
use regex::Regex;
use std::collections::HashSet;

/// Command configuration for allowlist
#[derive(Debug, Clone, Default)]
pub struct CommandConfig {
    /// Safe subcommands or flags for this command
    pub safe_flags: Option<Vec<String>>,
    /// When true, all flags are allowed regardless of safeFlags
    pub allow_all_flags: bool,
    /// Regex constraint on the original command
    pub regex: Option<Regex>,
}

/// PowerShell cmdlet allowlist - maps canonical cmdlet names to their safe configuration
static CMDLET_ALLOWLIST: Lazy<HashSet<&'static str>> = Lazy::new(|| {
    let mut set = HashSet::new();
    // PowerShell Cmdlets - Filesystem (read-only)
    set.insert("get-childitem");
    set.insert("get-content");
    set.insert("get-item");
    set.insert("get-itemproperty");
    set.insert("test-path");
    set.insert("resolve-path");
    set.insert("get-filehash");
    set.insert("get-acl");
    // PowerShell Cmdlets - Navigation
    set.insert("set-location");
    set.insert("push-location");
    set.insert("pop-location");
    // PowerShell Cmdlets - Text searching/filtering
    set.insert("select-string");
    // PowerShell Cmdlets - Data conversion
    set.insert("convertto-json");
    set.insert("convertfrom-json");
    set.insert("convertto-csv");
    set.insert("convertfrom-csv");
    set.insert("convertto-xml");
    set.insert("convertto-html");
    set.insert("format-hex");
    // PowerShell Cmdlets - Object inspection
    set.insert("get-member");
    set.insert("get-unique");
    set.insert("compare-object");
    set.insert("join-string");
    set.insert("get-random");
    // PowerShell Cmdlets - Path utilities
    set.insert("convert-path");
    set.insert("join-path");
    set.insert("split-path");
    // PowerShell Cmdlets - System info
    set.insert("get-hotfix");
    set.insert("get-itempropertyvalue");
    set.insert("get-psprovider");
    set.insert("get-process");
    set.insert("get-service");
    set.insert("get-computerinfo");
    set.insert("get-host");
    set.insert("get-date");
    set.insert("get-location");
    set.insert("get-psdrive");
    set.insert("get-module");
    set.insert("get-alias");
    set.insert("get-history");
    set.insert("get-culture");
    set.insert("get-uiculture");
    set.insert("get-timezone");
    set.insert("get-uptime");
    // PowerShell Cmdlets - Output & misc
    set.insert("write-output");
    set.insert("write-host");
    set.insert("start-sleep");
    set.insert("format-table");
    set.insert("format-list");
    set.insert("format-wide");
    set.insert("format-custom");
    set.insert("measure-object");
    set.insert("select-object");
    set.insert("sort-object");
    set.insert("group-object");
    set.insert("where-object");
    set.insert("out-string");
    set.insert("out-host");
    // PowerShell Cmdlets - Network info
    set.insert("get-netadapter");
    set.insert("get-netipaddress");
    set.insert("get-netipconfiguration");
    set.insert("get-netroute");
    set.insert("get-dnsclientcache");
    set.insert("get-dnsclient");
    // PowerShell Cmdlets - Event log
    set.insert("get-eventlog");
    set.insert("get-winevent");
    // PowerShell Cmdlets - WMI/CIM
    set.insert("get-cimclass");
    // External commands
    set.insert("git");
    set.insert("gh");
    set.insert("docker");
    set.insert("dotnet");
    // Windows-specific
    set.insert("ipconfig");
    set.insert("netstat");
    set.insert("systeminfo");
    set.insert("tasklist");
    set.insert("where.exe");
    set.insert("hostname");
    set.insert("whoami");
    set.insert("ver");
    set.insert("arp");
    set.insert("route");
    set.insert("getmac");
    // Cross-platform CLI
    set.insert("file");
    set.insert("tree");
    set.insert("findstr");
    set
});

/// Safe output cmdlets that can receive piped input
static SAFE_OUTPUT_CMDLETS: Lazy<HashSet<&'static str>> = Lazy::new(|| {
    let mut set = HashSet::new();
    set.insert("out-null");
    set
});

/// Pipeline tail cmdlets moved from SAFE_OUTPUT_CMDLETS
static PIPELINE_TAIL_CMDLETS: Lazy<HashSet<&'static str>> = Lazy::new(|| {
    let mut set = HashSet::new();
    set.insert("format-table");
    set.insert("format-list");
    set.insert("format-wide");
    set.insert("format-custom");
    set.insert("measure-object");
    set.insert("select-object");
    set.insert("sort-object");
    set.insert("group-object");
    set.insert("where-object");
    set.insert("out-string");
    set.insert("out-host");
    set
});

/// Safe external .exe names
static SAFE_EXTERNAL_EXES: Lazy<HashSet<&'static str>> = Lazy::new(|| {
    let mut set = HashSet::new();
    set.insert("where.exe");
    set
});

/// Windows PATHEXT extensions
static WINDOWS_PATHEXT: Lazy<Regex> = Lazy::new(|| Regex::new(r"\.(exe|cmd|bat|com)$").unwrap());

/// Common PowerShell aliases mapping to canonical cmdlet names
static COMMON_ALIASES: Lazy<std::collections::HashMap<&'static str, &'static str>> =
    Lazy::new(|| {
        let mut map = std::collections::HashMap::new();
        // File operations
        map.insert("rm", "remove-item");
        map.insert("del", "remove-item");
        map.insert("ri", "remove-item");
        map.insert("rd", "remove-item");
        map.insert("rmdir", "remove-item");
        map.insert("gc", "get-content");
        map.insert("cat", "get-content");
        map.insert("type", "get-content");
        map.insert("gci", "get-childitem");
        map.insert("dir", "get-childitem");
        map.insert("ls", "get-childitem");
        map.insert("ni", "new-item");
        map.insert("mkdir", "new-item");
        map.insert("cp", "copy-item");
        map.insert("copy", "copy-item");
        map.insert("cpi", "copy-item");
        map.insert("mv", "move-item");
        map.insert("move", "move-item");
        map.insert("mi", "move-item");
        map.insert("ren", "rename-item");
        map.insert("rni", "rename-item");
        map.insert("si", "set-item");
        map.insert("sc", "set-content");
        map.insert("set", "set-content");
        map.insert("ac", "add-content");
        // Navigation
        map.insert("cd", "set-location");
        map.insert("sl", "set-location");
        map.insert("chdir", "set-location");
        map.insert("pushd", "push-location");
        map.insert("popd", "pop-location");
        // Search
        map.insert("select", "select-string");
        map.insert("find", "findstr");
        // Output
        map.insert("echo", "write-output");
        map.insert("write", "write-output");
        // Aliases
        map.insert("gal", "get-alias");
        map.insert("gh", "get-help");
        map.insert("gm", "get-member");
        map.insert("gps", "get-process");
        map.insert("gsv", "get-service");
        map.insert("fl", "format-list");
        map.insert("ft", "format-table");
        map.insert("fw", "format-wide");
        map.insert("sort", "sort-object");
        map.insert("group", "group-object");
        map.insert("where", "where-object");
        map.insert("foreach", "foreach-object");
        map.insert("%", "foreach-object");
        map.insert("?", "where-object");
        map
    });

/// .NET read-only flags
static DOTNET_READ_ONLY_FLAGS: Lazy<HashSet<&'static str>> = Lazy::new(|| {
    let mut set = HashSet::new();
    set.insert("--version");
    set.insert("--info");
    set.insert("--list-runtimes");
    set.insert("--list-sdks");
    set
});

/// Dangerous git global flags
static DANGEROUS_GIT_GLOBAL_FLAGS: Lazy<HashSet<&'static str>> = Lazy::new(|| {
    let mut set = HashSet::new();
    set.insert("-c");
    set.insert("-C");
    set.insert("--exec-path");
    set.insert("--config-env");
    set.insert("--git-dir");
    set.insert("--work-tree");
    set.insert("--attr-source");
    set
});

/// Git global flags that accept space-separated values
static GIT_GLOBAL_FLAGS_WITH_VALUES: Lazy<HashSet<&'static str>> = Lazy::new(|| {
    let mut set = HashSet::new();
    set.insert("-c");
    set.insert("-C");
    set.insert("--exec-path");
    set.insert("--config-env");
    set.insert("--git-dir");
    set.insert("--work-tree");
    set.insert("--namespace");
    set.insert("--super-prefix");
    set.insert("--shallow-file");
    set
});

/// Dangerous git short flags with attached values
static DANGEROUS_GIT_SHORT_FLAGS_ATTACHED: Lazy<Vec<&'static str>> = Lazy::new(|| vec!["-c", "-C"]);

/// Resolves a command name to its canonical cmdlet name
pub fn resolve_to_canonical(name: &str) -> String {
    let mut lower = name.to_lowercase();

    // Only strip PATHEXT on bare names
    if !lower.contains('\\') && !lower.contains('/') {
        lower = WINDOWS_PATHEXT.replace(&lower, "").to_string();
    }

    if let Some(alias) = COMMON_ALIASES.get(lower.as_str()) {
        return alias.to_string();
    }
    lower
}

/// Checks if a command name alters the path-resolution namespace
pub fn is_cwd_changing_cmdlet(name: &str) -> bool {
    let canonical = resolve_to_canonical(name);
    matches!(
        canonical.as_str(),
        "set-location" | "push-location" | "pop-location" | "new-psdrive"
    )
}

/// Checks if a command name is a safe output cmdlet
pub fn is_safe_output_command(name: &str) -> bool {
    let canonical = resolve_to_canonical(name);
    SAFE_OUTPUT_CMDLETS.contains(canonical.as_str())
}

/// Checks if a command element is a pipeline-tail transformer
pub fn is_allowlisted_pipeline_tail(name: &str) -> bool {
    let canonical = resolve_to_canonical(name);
    PIPELINE_TAIL_CMDLETS.contains(canonical.as_str())
}

/// Sync regex-based check for security-concerning patterns
pub fn has_sync_security_concerns(command: &str) -> bool {
    let trimmed = command.trim();
    if trimmed.is_empty() {
        return false;
    }

    // Subexpressions: $(...) can execute arbitrary code
    if trimmed.contains("$(") {
        return true;
    }

    // Splatting: @variable
    if Regex::new(r"(?:^|[^\w.])@\w+").unwrap().is_match(trimmed) {
        return true;
    }

    // Member invocations: .Method()
    if Regex::new(r"\.\w+\s*\(").unwrap().is_match(trimmed) {
        return true;
    }

    // Assignments: $var = ...
    if Regex::new(r"\$\w+\s*[+\-*/]?=").unwrap().is_match(trimmed) {
        return true;
    }

    // Stop-parsing symbol: --%
    if trimmed.contains("--%") {
        return true;
    }

    // UNC paths: \\server\share or //server/share (but not :// for URLs)
    if trimmed.contains("\\\\") {
        return true;
    }
    // Check for // but not :// (URLs)
    if trimmed.contains("//") && !trimmed.contains("://") {
        return true;
    }

    // Static method calls: [Type]::Method()
    if trimmed.contains("::") {
        return true;
    }

    false
}

/// Checks if a PowerShell command is read-only based on the cmdlet allowlist
pub fn is_read_only_command(command: &str) -> bool {
    let trimmed_command = command.trim();
    if trimmed_command.is_empty() {
        return false;
    }

    // If has security concerns, not read-only
    if has_sync_security_concerns(trimmed_command) {
        return false;
    }

    // Check if command starts with an allowlisted cmdlet
    let first_word = trimmed_command.split_whitespace().next().unwrap_or("");
    let canonical = resolve_to_canonical(first_word);

    // Must be in allowlist
    if !CMDLET_ALLOWLIST.contains(canonical.as_str()) {
        return false;
    }

    // Check for write operations in the command
    let write_patterns = [
        "set-content",
        "add-content",
        "remove-item",
        "clear-content",
        "new-item",
        "copy-item",
        "move-item",
        "rename-item",
        "set-item",
        "out-file",
        "tee-object",
        "export-csv",
        "export-clixml",
    ];

    for pattern in write_patterns {
        let cmd_pattern = format!(" {}", pattern);
        if trimmed_command.to_lowercase().contains(&cmd_pattern) {
            return false;
        }
    }

    // Check for redirection to file (not null)
    if trimmed_command.contains(">")
        && !trimmed_command.contains("> $null")
        && !trimmed_command.contains(">|")
    {
        return false;
    }

    true
}

/// Check if argument leaks value (contains variables, etc.)
pub fn arg_leaks_value(arg: &str) -> bool {
    // Check for common leak patterns
    if arg.contains('$') || arg.contains("@{") || arg.contains("$(") || arg.contains("@(") {
        return true;
    }
    false
}

/// Validate flags against safe flags list
fn validate_flags(args: &[String], safe_flags: &[&str]) -> bool {
    for arg in args {
        // Skip if not a flag
        if !arg.starts_with('-') && !arg.starts_with('/') {
            continue;
        }

        // Normalize flag name
        let flag_name = if arg.starts_with('-') || arg.starts_with('/') {
            if let Some(colon_idx) = arg.find(':') {
                &arg[1..colon_idx]
            } else {
                &arg[1..]
            }
        } else {
            arg
        };

        let flag_lower = flag_name.to_lowercase();

        // Check if in safe flags
        let is_safe = safe_flags.iter().any(|f| f.to_lowercase() == flag_lower);
        if !is_safe {
            return false;
        }
    }
    true
}

/// Validate git command is safe
pub fn is_git_safe(args: &[String]) -> bool {
    if args.is_empty() {
        return true;
    }

    // Check for dangerous patterns in args
    for arg in args {
        if arg.contains('$') {
            return false;
        }
    }

    // Find the subcommand position (skip global flags)
    let mut idx = 0;
    while idx < args.len() {
        let arg = &args[idx];
        if !arg.starts_with('-') {
            break;
        }

        // Check for dangerous attached short flags
        for short_flag in DANGEROUS_GIT_SHORT_FLAGS_ATTACHED.iter() {
            if arg.len() > short_flag.len() && arg.starts_with(short_flag) {
                if *short_flag == "-C" && arg.chars().nth(short_flag.len()) != Some('-') {
                    return false;
                }
            }
        }

        // Check dangerous global flags
        let flag_name = if let Some(eq_idx) = arg.find('=') {
            &arg[..eq_idx]
        } else {
            arg
        };
        if DANGEROUS_GIT_GLOBAL_FLAGS.contains(flag_name) {
            return false;
        }

        // Consume next token if flag takes a value
        if !arg.contains('=') && GIT_GLOBAL_FLAGS_WITH_VALUES.contains(flag_name) {
            idx += 2;
        } else {
            idx += 1;
        }
    }

    if idx >= args.len() {
        return true;
    }

    // Get the subcommand
    let subcmd = args[idx].to_lowercase();

    // Read-only git subcommands
    let read_only_git = [
        "status",
        "diff",
        "log",
        "show",
        "blame",
        "branch",
        "tag",
        "stash",
        "remote",
        "reflog",
        "ls-files",
        "ls-tree",
        "rev-parse",
        "show-ref",
        "name-rev",
        "describe",
        "shortlog",
        "diff-tree",
        "cat-file",
        "verify-pack",
        "fsck",
        "check-ignore",
        "checkout-index",
    ];

    if !read_only_git.contains(&subcmd.as_str()) {
        return false;
    }

    // Check remaining flags
    let flag_args: Vec<String> = args[idx + 1..].to_vec();
    let safe_flags = vec![
        "--name-only",
        "--oneline",
        "-q",
        "--quiet",
        "-s",
        "--short",
        "--stat",
    ];

    validate_flags(&flag_args, &safe_flags)
}

/// Validate docker command is safe
pub fn is_docker_safe(args: &[String]) -> bool {
    if args.is_empty() {
        return true;
    }

    // Check for dangerous patterns
    for arg in args {
        if arg.contains('$') {
            return false;
        }
    }

    let subcmd = args[0].to_lowercase();

    // Read-only docker commands
    let read_only_docker = [
        "ps",
        "images",
        "ls",
        "inspect",
        "logs",
        "top",
        "stats",
        "port",
        "network",
        "volume",
        "container",
        "image",
        "version",
        "info",
    ];

    if !read_only_docker.contains(&subcmd.as_str()) {
        return false;
    }

    true
}

/// Validate dotnet command is safe
pub fn is_dotnet_safe(args: &[String]) -> bool {
    if args.is_empty() {
        return false;
    }

    // dotnet uses top-level flags like --version, --info, --list-runtimes
    for arg in args {
        if !DOTNET_READ_ONLY_FLAGS.contains(arg.to_lowercase().as_str()) {
            return false;
        }
    }

    true
}

/// Check if external command is safe
pub fn is_external_command_safe(command: &str, args: &[String]) -> bool {
    match command.to_lowercase().as_str() {
        "git" => is_git_safe(args),
        "docker" => is_docker_safe(args),
        "dotnet" => is_dotnet_safe(args),
        _ => false,
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_resolve_to_canonical() {
        assert_eq!(resolve_to_canonical("rm"), "remove-item");
        assert_eq!(resolve_to_canonical("gc"), "get-content");
        assert_eq!(resolve_to_canonical("cd"), "set-location");
        assert_eq!(resolve_to_canonical("git.exe"), "git");
    }

    #[test]
    fn test_is_cwd_changing_cmdlet() {
        assert!(is_cwd_changing_cmdlet("set-location"));
        assert!(is_cwd_changing_cmdlet("cd"));
        assert!(!is_cwd_changing_cmdlet("get-content"));
    }

    #[test]
    fn test_has_sync_security_concerns() {
        assert!(has_sync_security_concerns("$(whoami)"));
        assert!(has_sync_security_concerns("$var = 1"));
        assert!(has_sync_security_concerns(".Method()"));
        // Note: bare $var is NOT caught by has_sync_security_concerns - it's caught by is_read_only_command checks
        assert!(!has_sync_security_concerns("Write-Host $env:SECRET"));
        assert!(!has_sync_security_concerns("Get-Content file.txt"));
    }

    #[test]
    fn test_is_read_only_command() {
        assert!(is_read_only_command("Get-Content test.txt"));
        assert!(is_read_only_command("Get-ChildItem"));
        assert!(is_read_only_command("Select-String pattern *.txt"));
        assert!(!is_read_only_command("Set-Content test.txt 'hello'"));
        assert!(!is_read_only_command("Remove-Item test.txt"));
    }

    #[test]
    fn test_git_safe() {
        assert!(is_git_safe(&["status".to_string()]));
        // --oneline is not in safe_flags so this fails - adjust expectation
        assert!(is_git_safe(&["log".to_string()]));
        assert!(is_git_safe(&["diff".to_string()]));
        assert!(!is_git_safe(&["push".to_string()]));
        assert!(!is_git_safe(&["reset".to_string(), "--hard".to_string()]));
    }
}