bashrs 6.66.0

Rust-to-Shell transpiler for deterministic bootstrap scripts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254

//! String literal and exec-context validators. Extracted from pipeline.rs.
use super::ValidationLevel;
use crate::models::error::{RashError, RashResult};
impl super::pipeline::ValidationPipeline {
    pub(crate) fn check_dangerous_patterns(s: &str) -> RashResult<()> {
        let dangerous_patterns = [
            ("$(", "Command substitution detected in string literal"),
            (
                "`",
                "Backtick command substitution detected in string literal (SC2006)",
            ),
            ("&& ", "AND operator detected in string literal"),
            ("|| ", "OR operator detected in string literal"),
            (
                "'; ",
                "Quote escape with semicolon detected in string literal",
            ),
            (
                "\"; ",
                "Quote escape with semicolon detected in string literal",
            ),
            ("<<", "Here-doc syntax detected in string literal"),
            ("eval ", "eval command detected in string literal"),
            ("exec ", "exec command detected in string literal"),
        ];

        for (pattern, message) in &dangerous_patterns {
            if s.contains(pattern) {
                return Err(RashError::ValidationError(format!(
                    "{}: '{}'",
                    message,
                    s.chars().take(50).collect::<String>()
                )));
            }
        }
        Ok(())
    }

    /// Check for pipe operator injection, excluding table/formatting strings
    pub(crate) fn check_pipe_injection(s: &str) -> RashResult<()> {
        // Issue #94: Skip pipe check for table/formatting strings
        let is_formatting_string = s.chars().filter(|c| *c == '|').count() > 1
            && !s.contains(';')
            && !s.contains("$(")
            && !s.contains("&&");

        if is_formatting_string || !s.contains("| ") {
            return Ok(());
        }

        let trimmed = s.trim();
        if trimmed.starts_with('|') || trimmed.ends_with('|') {
            return Ok(());
        }

        if let Some(pos) = s.find("| ") {
            let after_pipe = &s[pos + 2..].trim_start();
            if !after_pipe.is_empty()
                && after_pipe.chars().next().is_some_and(|c| c.is_alphabetic())
            {
                return Err(RashError::ValidationError(format!(
                    "Pipe operator detected in string literal: '{}'",
                    s.chars().take(50).collect::<String>()
                )));
            }
        }
        Ok(())
    }

    /// Check for newlines followed by dangerous shell commands
    pub(crate) fn check_newline_injection(s: &str) -> RashResult<()> {
        if !s.contains('\n') && !s.contains('\r') {
            return Ok(());
        }

        let dangerous_starts = ["rm ", "curl ", "wget ", "eval ", "exec ", "bash ", "sh "];
        for line in s.split(&['\n', '\r'][..]) {
            let trimmed = line.trim();
            for start in &dangerous_starts {
                if trimmed.starts_with(start) {
                    return Err(RashError::ValidationError(format!(
                        "Newline followed by dangerous command detected: '{}'",
                        trimmed.chars().take(50).collect::<String>()
                    )));
                }
            }
        }
        Ok(())
    }

    pub(crate) fn validate_function_name(&self, name: &str) -> RashResult<()> {
        if name.is_empty() {
            return Err(RashError::ValidationError(
                "Empty function name".to_string(),
            ));
        }

        // Check for reserved shell builtins that cannot be redefined
        // These are POSIX special builtins and common builtins that cause errors
        let reserved_builtins = [
            "break", "continue", "exit", "return", "shift", "trap", "unset", "export", "readonly",
            "set", "times", "exec", "eval", ".", ":", "true", "false", "test", "[",
        ];

        if reserved_builtins.contains(&name) {
            return Err(RashError::ValidationError(format!(
                "Function name '{}' is a reserved shell builtin and cannot be redefined",
                name
            )));
        }

        Ok(())
    }

    pub(crate) fn validate_variable_name(&self, name: &str) -> RashResult<()> {
        if name.is_empty() {
            return Err(RashError::ValidationError(
                "Empty variable name".to_string(),
            ));
        }
        if name.contains(char::is_whitespace) {
            return Err(RashError::ValidationError(format!(
                "Variable name '{name}' contains whitespace"
            )));
        }
        Ok(())
    }

    pub(crate) fn validate_binary_expr(
        &self,
        left: &crate::ast::Expr,
        right: &crate::ast::Expr,
    ) -> RashResult<()> {
        self.validate_expr(left)?;
        self.validate_expr(right)?;
        Ok(())
    }

    pub(crate) fn validate_function_call(
        &self,
        name: &str,
        args: &[crate::ast::Expr],
    ) -> RashResult<()> {
        if name.is_empty() {
            return Err(RashError::ValidationError(
                "Empty function name".to_string(),
            ));
        }

        // Issue #95: exec() arguments ARE meant to be shell commands
        // GH-148: capture() arguments are also shell commands (may contain pipes)
        // Skip shell operator validation (|, &&, ||) for these but keep shellshock protection
        let is_exec_context = name == "exec" || name == "capture";

        for arg in args {
            if is_exec_context {
                self.validate_expr_in_exec_context(arg)?;
            } else {
                self.validate_expr(arg)?;
            }
        }
        Ok(())
    }

    /// Validate expression in exec() context - allows shell operators but blocks shellshock
    pub(crate) fn validate_expr_in_exec_context(&self, expr: &crate::ast::Expr) -> RashResult<()> {
        use crate::ast::Expr;

        match expr {
            Expr::Literal(lit) => self.validate_literal_in_exec_context(lit),
            Expr::Variable(name) => self.validate_variable_name(name),
            Expr::Binary { left, right, .. } => {
                self.validate_expr_in_exec_context(left)?;
                self.validate_expr_in_exec_context(right)
            }
            Expr::Unary { operand, .. } => self.validate_expr_in_exec_context(operand),
            Expr::FunctionCall { name, args } => self.validate_function_call(name, args),
            Expr::MethodCall {
                receiver,
                method,
                args,
            } => {
                self.validate_expr_in_exec_context(receiver)?;
                if method.is_empty() {
                    return Err(RashError::ValidationError("Empty method name".to_string()));
                }
                for arg in args {
                    self.validate_expr_in_exec_context(arg)?;
                }
                Ok(())
            }
            Expr::Array(items) => {
                for item in items {
                    self.validate_expr_in_exec_context(item)?;
                }
                Ok(())
            }
            Expr::Index { object, index } => {
                self.validate_expr_in_exec_context(object)?;
                self.validate_expr_in_exec_context(index)
            }
            Expr::Try { expr } => self.validate_expr_in_exec_context(expr),
            Expr::Block(stmts) => self.validate_block_statements(stmts),
            Expr::Range { start, end, .. } => {
                self.validate_expr_in_exec_context(start)?;
                self.validate_expr_in_exec_context(end)
            }
            Expr::PositionalArgs => Ok(()),
        }
    }

    pub(crate) fn validate_literal_in_exec_context(
        &self,
        lit: &crate::ast::restricted::Literal,
    ) -> RashResult<()> {
        use crate::ast::restricted::Literal;

        match lit {
            Literal::Str(s) => self.validate_string_literal_in_exec(s),
            Literal::Bool(_) | Literal::U16(_) | Literal::U32(_) | Literal::I32(_) => Ok(()),
        }
    }

    /// Validate string literal in exec() context - only check for shellshock, allow pipes/operators
    pub(crate) fn validate_string_literal_in_exec(&self, s: &str) -> RashResult<()> {
        if self.level == ValidationLevel::None {
            return Ok(());
        }

        // Still block shellshock-style attacks even in exec context
        if s.contains("() { :; }") {
            return Err(RashError::ValidationError(
                "Shellshock-style function definition detected in exec command".to_string(),
            ));
        }

        // Block command substitution in exec strings (could be injection vector)
        if s.contains("$(") {
            return Err(RashError::ValidationError(format!(
                "Command substitution detected in exec command: '{}'",
                s.chars().take(50).collect::<String>()
            )));
        }

        // Block backtick substitution
        if s.contains('`') {
            return Err(RashError::ValidationError(
                "Backtick command substitution detected in exec command (SC2006)".to_string(),
            ));
        }

        Ok(())
    }
}