bashrs 6.66.0

Rust-to-Shell transpiler for deterministic bootstrap scripts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143

//! Tiny subset of rash AST for formal verification
//!
//! This module defines a minimal subset of the rash AST that is sufficient
//! for basic bootstrap scripts and amenable to formal verification.

use serde::{Deserialize, Serialize};

/// The tiny subset of rash AST nodes
#[derive(Debug, Clone, PartialEq, Eq, Hash, Serialize, Deserialize)]
pub enum TinyAst {
    /// Execute a simple command with fixed arguments
    ExecuteCommand {
        /// Command name from a restricted allow-list
        command_name: String,
        /// List of literal string arguments
        args: Vec<String>,
    },

    /// Set an environment variable
    SetEnvironmentVariable {
        /// Variable name (valid POSIX variable name)
        name: String,
        /// Literal string value
        value: String,
    },

    /// Sequential execution of commands
    Sequence {
        /// List of commands to execute in order
        commands: Vec<TinyAst>,
    },

    /// Change the current directory
    ChangeDirectory {
        /// Absolute or simple relative path
        path: String,
    },
}

/// Restricted list of allowed commands for bootstrap scripts
pub const ALLOWED_COMMANDS: &[&str] = &[
    "mkdir",
    "echo",
    "rm",
    "cp",
    "mv",
    "chmod",
    "chown",
    "id",
    "test",
    "wget",
    "curl",
    "tar",
    "gzip",
    "gunzip",
    "sha256sum",
    "sha512sum",
];

impl TinyAst {
    /// Validate that a command is in the allowed list
    pub fn validate_command(command: &str) -> bool {
        ALLOWED_COMMANDS.contains(&command)
    }

    /// Validate a variable name according to POSIX rules
    pub fn validate_variable_name(name: &str) -> bool {
        if name.is_empty() {
            return false;
        }

        // Must start with letter or underscore
        let first_char = name.chars().next().unwrap();
        if !first_char.is_ascii_alphabetic() && first_char != '_' {
            return false;
        }

        // Rest must be alphanumeric or underscore
        name.chars().all(|c| c.is_ascii_alphanumeric() || c == '_')
    }

    /// Check if the AST node is valid
    pub fn is_valid(&self) -> bool {
        match self {
            TinyAst::ExecuteCommand { command_name, .. } => Self::validate_command(command_name),
            TinyAst::SetEnvironmentVariable { name, .. } => Self::validate_variable_name(name),
            TinyAst::Sequence { commands } => {
                !commands.is_empty() && commands.iter().all(|cmd| cmd.is_valid())
            }
            TinyAst::ChangeDirectory { path } => !path.is_empty() && !path.contains('\0'),
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_validate_command() {
        assert!(TinyAst::validate_command("echo"));
        assert!(TinyAst::validate_command("mkdir"));
        assert!(!TinyAst::validate_command("sudo"));
        assert!(!TinyAst::validate_command("eval"));
    }

    #[test]
    fn test_validate_variable_name() {
        assert!(TinyAst::validate_variable_name("PATH"));
        assert!(TinyAst::validate_variable_name("_var"));
        assert!(TinyAst::validate_variable_name("var123"));
        assert!(!TinyAst::validate_variable_name("123var"));
        assert!(!TinyAst::validate_variable_name("var-name"));
        assert!(!TinyAst::validate_variable_name(""));
    }

    #[test]
    fn test_ast_validation() {
        let valid_echo = TinyAst::ExecuteCommand {
            command_name: "echo".to_string(),
            args: vec!["Hello".to_string()],
        };
        assert!(valid_echo.is_valid());

        let invalid_command = TinyAst::ExecuteCommand {
            command_name: "sudo".to_string(),
            args: vec![],
        };
        assert!(!invalid_command.is_valid());

        let valid_var = TinyAst::SetEnvironmentVariable {
            name: "INSTALL_DIR".to_string(),
            value: "/opt/rash".to_string(),
        };
        assert!(valid_var.is_valid());

        let invalid_var = TinyAst::SetEnvironmentVariable {
            name: "install-dir".to_string(),
            value: "/opt/rash".to_string(),
        };
        assert!(!invalid_var.is_valid());
    }
}