meerkat-tools 0.3.0

Tool validation and dispatch for Meerkat
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304

//! Shell security engine
//!
//! Provides a robust parse-then-validate pipeline for shell commands using
//! POSIX-compliant word splitting and glob pattern matching.

use crate::builtin::shell::config::ShellError;
use globset::{GlobBuilder, GlobSet, GlobSetBuilder};
pub use meerkat_core::types::SecurityMode;

/// POSIX-compliant command invocation
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct CommandInvocation {
    /// The executable being called
    pub executable: String,
    /// Arguments passed to the executable
    pub arguments: Vec<String>,
}

impl CommandInvocation {
    /// Parse a raw command string into a structured invocation.
    ///
    /// Fails if the command has malformed shell syntax (e.g., unclosed quotes).
    pub fn parse(raw_command: &str) -> Result<Self, ShellError> {
        let words = shlex::split(raw_command).ok_or_else(|| {
            ShellError::Io(std::io::Error::new(
                std::io::ErrorKind::InvalidInput,
                "Malformed shell command: unclosed quotes or invalid escape sequences",
            ))
        })?;

        if words.is_empty() {
            return Ok(Self {
                executable: String::new(),
                arguments: Vec::new(),
            });
        }

        let mut iter = words.into_iter();
        let executable = iter.next().unwrap_or_default();
        let arguments = iter.collect();

        Ok(Self {
            executable,
            arguments,
        })
    }

    /// Reconstruct a canonicalized command string
    pub fn to_canonical_string(&self) -> String {
        if self.executable.is_empty() {
            return String::new();
        }

        let mut out = shlex::try_quote(&self.executable)
            .map(|q| q.into_owned())
            .unwrap_or_else(|_| self.executable.clone());

        for arg in &self.arguments {
            out.push(' ');
            out.push_str(
                &shlex::try_quote(arg)
                    .map(|q| q.into_owned())
                    .unwrap_or_else(|_| arg.clone()),
            );
        }
        out
    }
}

/// A compiled security policy
pub struct SecurityEngine {
    mode: SecurityMode,
    matcher: Option<GlobSet>,
}

impl SecurityEngine {
    /// Create a new engine from a mode and list of patterns.
    ///
    /// Fails if any glob pattern is invalid.
    pub fn new(mode: SecurityMode, patterns: &[String]) -> Result<Self, ShellError> {
        if mode == SecurityMode::Unrestricted || patterns.is_empty() {
            return Ok(Self {
                mode,
                matcher: None,
            });
        }

        let mut builder = GlobSetBuilder::new();
        for pat in patterns {
            // Use literal_separator(false) to get command-line glob semantics
            // where `*` matches `/` (e.g., `cat *` matches `cat /tmp/foo`)
            let glob = GlobBuilder::new(pat)
                .literal_separator(false)
                .build()
                .map_err(|e| {
                    ShellError::Io(std::io::Error::new(
                        std::io::ErrorKind::InvalidInput,
                        format!("Invalid glob pattern '{}': {}", pat, e),
                    ))
                })?;
            builder.add(glob);
        }

        let matcher = builder.build().map_err(|e| {
            ShellError::Io(std::io::Error::other(format!(
                "Failed to compile security patterns: {}",
                e
            )))
        })?;

        Ok(Self {
            mode,
            matcher: Some(matcher),
        })
    }

    /// Check if a raw command string is allowed by this policy.
    pub fn check(&self, raw_command: &str) -> Result<(), ShellError> {
        if self.mode == SecurityMode::Unrestricted {
            return Ok(());
        }

        let invocation = CommandInvocation::parse(raw_command)?;
        self.check_invocation(&invocation)
    }

    /// Check if a command invocation is allowed by this policy.
    pub fn check_invocation(&self, invocation: &CommandInvocation) -> Result<(), ShellError> {
        if self.mode == SecurityMode::Unrestricted {
            return Ok(());
        }

        if invocation.executable.is_empty() {
            return Ok(());
        }

        // We match against the canonical string to ensure the whole command line is validated.
        // This prevents "command smuggling" via arguments.
        let canonical = invocation.to_canonical_string();

        let is_match = self
            .matcher
            .as_ref()
            .is_some_and(|m| m.is_match(&canonical));

        match self.mode {
            SecurityMode::AllowList => {
                if is_match {
                    Ok(())
                } else {
                    Err(ShellError::BlockedCommand(format!(
                        "Command '{}' does not match any allowed patterns",
                        canonical
                    )))
                }
            }
            SecurityMode::DenyList => {
                if is_match {
                    Err(ShellError::BlockedCommand(format!(
                        "Command '{}' matches a denied pattern",
                        canonical
                    )))
                } else {
                    Ok(())
                }
            }
            SecurityMode::Unrestricted => unreachable!(),
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_invocation_parsing() {
        let inv = CommandInvocation::parse("  ls  -la  'my dir'  ").unwrap();
        assert_eq!(inv.executable, "ls");
        assert_eq!(inv.arguments, vec!["-la", "my dir"]);

        // Canonicalization check
        assert_eq!(inv.to_canonical_string(), "ls -la 'my dir'");
    }

    #[test]
    fn test_parsing_failure() {
        let result = CommandInvocation::parse("rm -rf \"unclosed");
        assert!(result.is_err());
    }

    #[test]
    fn test_unrestricted_mode() {
        let engine = SecurityEngine::new(SecurityMode::Unrestricted, &[]).unwrap();
        assert!(engine.check("rm -rf /").is_ok());
    }

    #[test]
    fn test_allow_list() {
        let patterns = vec!["git *".to_string(), "ls".to_string()];
        let engine = SecurityEngine::new(SecurityMode::AllowList, &patterns).unwrap();

        assert!(engine.check("ls").is_ok());
        assert!(engine.check("git status").is_ok());
        assert!(engine.check("git checkout main").is_ok());

        // Blocked: not in list
        assert!(engine.check("rm -rf /").is_err());
        // Blocked: ls with args is not 'ls' exactly
        assert!(engine.check("ls -la").is_err());
    }

    #[test]
    fn test_deny_list() {
        let patterns = vec!["rm -rf /".to_string(), "curl *".to_string()];
        let engine = SecurityEngine::new(SecurityMode::DenyList, &patterns).unwrap();

        assert!(engine.check("ls -la").is_ok());

        // Blocked: denied exactly
        assert!(engine.check("rm -rf /").is_err());
        // Blocked: denied via glob
        assert!(engine.check("curl http://malicious.com").is_err());
    }

    #[test]
    fn test_glob_matches_slashes_in_paths() {
        // Command-line globs should match paths with slashes
        // e.g., `cat *` should match `cat /tmp/foo`
        let patterns = vec!["cat *".to_string()];
        let engine = SecurityEngine::new(SecurityMode::AllowList, &patterns).unwrap();

        // These should all be allowed since `*` should match anything including `/`
        assert!(
            engine.check("cat /tmp/foo").is_ok(),
            "cat * should match cat /tmp/foo"
        );
        assert!(
            engine.check("cat /path/to/file.txt").is_ok(),
            "cat * should match paths with multiple slashes"
        );
        assert!(
            engine.check("cat somefile").is_ok(),
            "cat * should match simple filenames"
        );
    }

    #[test]
    fn test_glob_matches_urls() {
        // Command-line globs should match URLs with slashes
        // e.g., `curl *` should match `curl http://example.com/path`
        let patterns = vec!["curl *".to_string()];
        let engine = SecurityEngine::new(SecurityMode::AllowList, &patterns).unwrap();

        assert!(
            engine.check("curl http://example.com").is_ok(),
            "curl * should match simple URLs"
        );
        assert!(
            engine.check("curl http://example.com/path").is_ok(),
            "curl * should match URLs with paths"
        );
        assert!(
            engine
                .check("curl http://example.com/deep/nested/path")
                .is_ok(),
            "curl * should match URLs with deep paths"
        );
    }

    #[test]
    fn test_deny_list_glob_matches_slashes() {
        // Deny list globs should also match paths with slashes
        let patterns = vec!["rm *".to_string()];
        let engine = SecurityEngine::new(SecurityMode::DenyList, &patterns).unwrap();

        // These should all be denied since `rm *` should match any rm command
        assert!(
            engine.check("rm /etc/passwd").is_err(),
            "rm * should deny rm /etc/passwd"
        );
        assert!(
            engine.check("rm /path/to/file").is_err(),
            "rm * should deny paths with slashes"
        );
    }

    #[test]
    fn test_command_smuggling_prevention() {
        // If someone tries to smuggle: git commit; rm -rf /
        let smuggled = "git commit; rm -rf /";
        let invocation = CommandInvocation::parse(smuggled).unwrap();

        // Shlex will treat ';' as part of the previous word if not separated by space,
        // or as a separate word if it is.
        // In the canonical string, EVERYTHING is quoted.
        let canonical = invocation.to_canonical_string();

        // The resulting string should NOT contain a raw ';' that would be interpreted by a shell.
        // It should look like: 'git' 'commit;' 'rm' '-rf' '/'
        assert!(canonical.contains("'commit;'") || canonical.contains("';'"));
        assert!(!canonical.contains("commit; rm")); // Raw sequence must be broken by quotes
    }
}