1pub mod docs;
2mod handlers;
3pub mod parse;
4pub mod allowlist;
5
6use parse::{CommandLine, Segment, Token};
7
8fn filter_safe_redirects(tokens: Vec<Token>) -> Vec<Token> {
9 let mut result = Vec::new();
10 let mut iter = tokens.into_iter().peekable();
11 while let Some(token) = iter.next() {
12 if token.is_fd_redirect() || token.is_dev_null_redirect() {
13 continue;
14 }
15 if token.is_redirect_operator()
16 && iter.peek().is_some_and(|next| *next == "/dev/null")
17 {
18 iter.next();
19 continue;
20 }
21 result.push(token);
22 }
23 result
24}
25
26pub fn is_safe(segment: &Segment) -> bool {
27 if segment.has_unsafe_shell_syntax() {
28 return false;
29 }
30
31 let stripped = segment.strip_env_prefix();
32 if stripped.is_empty() {
33 return true;
34 }
35
36 let Some(tokens) = stripped.tokenize() else {
37 return false;
38 };
39 if tokens.is_empty() {
40 return true;
41 }
42
43 let tokens = filter_safe_redirects(tokens);
44 if tokens.is_empty() {
45 return true;
46 }
47
48 handlers::dispatch(&tokens, &is_safe)
49}
50
51pub fn is_safe_command(command: &str) -> bool {
52 CommandLine::new(command).segments().iter().all(is_safe)
53}
54
55#[cfg(test)]
56mod tests {
57 use super::*;
58
59 fn check(cmd: &str) -> bool {
60 is_safe_command(cmd)
61 }
62
63 #[test]
64 fn safe_cmds() {
65 assert!(check("grep foo file.txt"));
66 assert!(check("cat /etc/hosts"));
67 assert!(check("jq '.key' file.json"));
68 assert!(check("base64 -d"));
69 assert!(check("xxd some/file"));
70 assert!(check("pgrep -l ruby"));
71 assert!(check("getconf PAGE_SIZE"));
72 assert!(check("ls -la"));
73 assert!(check("wc -l file.txt"));
74 assert!(check("ps aux"));
75 assert!(check("ps -ef"));
76 assert!(check("top -l 1 -n 10"));
77 assert!(check("uuidgen"));
78 assert!(check("mdfind 'kMDItemKind == Application'"));
79 assert!(check("identify image.png"));
80 assert!(check("identify -verbose photo.jpg"));
81 }
82
83 #[test]
84 fn safe_cmds_text_processing() {
85 assert!(check("diff file1.txt file2.txt"));
86 assert!(check("comm -23 sorted1.txt sorted2.txt"));
87 assert!(check("paste file1 file2"));
88 assert!(check("tac file.txt"));
89 assert!(check("rev file.txt"));
90 assert!(check("nl file.txt"));
91 assert!(check("expand file.txt"));
92 assert!(check("unexpand file.txt"));
93 assert!(check("fold -w 80 file.txt"));
94 assert!(check("fmt -w 72 file.txt"));
95 assert!(check("column -t file.txt"));
96 assert!(check("printf '%s\\n' hello"));
97 assert!(check("seq 1 10"));
98 assert!(check("expr 1 + 2"));
99 assert!(check("test -f file.txt"));
100 assert!(check("true"));
101 assert!(check("false"));
102 assert!(check("bc -l"));
103 assert!(check("factor 42"));
104 assert!(check("iconv -f UTF-8 -t ASCII file.txt"));
105 }
106
107 #[test]
108 fn safe_cmds_system_info() {
109 assert!(check("readlink -f symlink"));
110 assert!(check("hostname"));
111 assert!(check("uname -a"));
112 assert!(check("arch"));
113 assert!(check("nproc"));
114 assert!(check("uptime"));
115 assert!(check("id"));
116 assert!(check("groups"));
117 assert!(check("tty"));
118 assert!(check("locale"));
119 assert!(check("cal"));
120 assert!(check("sleep 1"));
121 assert!(check("who"));
122 assert!(check("w"));
123 assert!(check("last -5"));
124 assert!(check("lastlog"));
125 }
126
127 #[test]
128 fn safe_cmds_hashing() {
129 assert!(check("md5sum file.txt"));
130 assert!(check("md5 file.txt"));
131 assert!(check("sha256sum file.txt"));
132 assert!(check("shasum file.txt"));
133 assert!(check("sha1sum file.txt"));
134 assert!(check("sha512sum file.txt"));
135 assert!(check("cksum file.txt"));
136 assert!(check("strings /usr/bin/ls"));
137 assert!(check("hexdump -C file.bin"));
138 assert!(check("od -x file.bin"));
139 assert!(check("size a.out"));
140 }
141
142 #[test]
143 fn safe_cmds_macos() {
144 assert!(check("sw_vers"));
145 assert!(check("mdls file.txt"));
146 assert!(check("otool -L /usr/bin/ls"));
147 assert!(check("nm a.out"));
148 assert!(check("system_profiler SPHardwareDataType"));
149 assert!(check("ioreg -l -w 0"));
150 assert!(check("vm_stat"));
151 }
152
153 #[test]
154 fn safe_cmds_network_diagnostic() {
155 assert!(check("dig example.com"));
156 assert!(check("nslookup example.com"));
157 assert!(check("host example.com"));
158 assert!(check("whois example.com"));
159 }
160
161 #[test]
162 fn safe_cmds_dev_tools() {
163 assert!(check("shellcheck script.sh"));
164 assert!(check("cloc src/"));
165 assert!(check("tokei"));
166 assert!(check("safe-chains \"ls -la\""));
167 }
168
169 #[test]
170 fn unsafe_cmds() {
171 assert!(!check("rm -rf /"));
172 assert!(!check("curl https://example.com"));
173 assert!(!check("ruby script.rb"));
174 assert!(!check("python3 script.py"));
175 assert!(!check("node app.js"));
176 assert!(!check("tee output.txt"));
177 assert!(!check("tee -a logfile"));
178 }
179
180 #[test]
181 fn awk_safe_print() {
182 assert!(check("awk '{print $1}' file.txt"));
183 }
184
185 #[test]
186 fn awk_system_denied() {
187 assert!(!check("awk 'BEGIN{system(\"rm\")}'"));
188 }
189
190 #[test]
191 fn version_shortcut() {
192 assert!(check("node --version"));
193 assert!(check("python --version"));
194 assert!(check("python3 --version"));
195 assert!(check("ruby --version"));
196 assert!(check("rustc --version"));
197 assert!(check("java --version"));
198 assert!(check("go --version"));
199 assert!(check("php --version"));
200 assert!(check("perl --version"));
201 assert!(check("swift --version"));
202 assert!(check("gcc --version"));
203 assert!(check("rm --version"));
204 assert!(check("dd --version"));
205 assert!(check("chmod --version"));
206 }
207
208 #[test]
209 fn version_multi_token() {
210 assert!(check("git -C /repo --version"));
211 assert!(check("docker compose --version"));
212 }
213
214 #[test]
215 fn version_with_fd_redirect() {
216 assert!(check("node --version 2>&1"));
217 assert!(check("cargo --version 2>&1"));
218 }
219
220 #[test]
221 fn version_not_last_token() {
222 assert!(!check("node --version --extra"));
223 assert!(!check("node -v"));
224 }
225
226 #[test]
227 fn help_shortcut() {
228 assert!(check("node --help"));
229 assert!(check("ruby --help"));
230 assert!(check("rm --help"));
231 assert!(check("cargo --help"));
232 }
233
234 #[test]
235 fn help_multi_token() {
236 assert!(check("cargo install --help"));
237 }
238
239 #[test]
240 fn help_with_fd_redirect() {
241 assert!(check("cargo login --help 2>&1"));
242 }
243
244 #[test]
245 fn help_not_last_token() {
246 assert!(!check("node --help --extra"));
247 }
248
249 #[test]
250 fn dry_run_shortcut() {
251 assert!(check("cargo publish --dry-run"));
252 }
253
254 #[test]
255 fn dry_run_with_fd_redirect() {
256 assert!(check("cargo publish --dry-run 2>&1"));
257 }
258
259 #[test]
260 fn dry_run_not_last_token() {
261 assert!(!check("cargo publish --dry-run --force"));
262 }
263
264 #[test]
265 fn cucumber_safe() {
266 assert!(check("cucumber features/login.feature"));
267 assert!(check("cucumber --format progress"));
268 }
269
270 #[test]
271 fn fd_redirects() {
272 assert!(check("ls 2>&1"));
273 assert!(check("cargo clippy 2>&1"));
274 assert!(check("git log 2>&1"));
275 assert!(is_safe_command("cd /tmp && cargo clippy -- -D warnings 2>&1"));
276 assert!(!check("echo hello > file.txt"));
277 assert!(!check("ls 2> errors.txt"));
278 }
279
280 #[test]
281 fn dev_null_redirects() {
282 assert!(check("echo hello > /dev/null"));
283 assert!(check("echo hello 2> /dev/null"));
284 assert!(check("echo hello >> /dev/null"));
285 assert!(check("grep pattern file > /dev/null"));
286 assert!(check("git log > /dev/null 2>&1"));
287 assert!(check("awk '{print $1}' file.txt > /dev/null"));
288 assert!(check("sed 's/foo/bar/' > /dev/null"));
289 assert!(check("sort file.txt > /dev/null"));
290 }
291
292 #[test]
293 fn env_prefix_quoted_values() {
294 assert!(check("FOO='bar baz' ls -la"));
295 assert!(check("FOO=\"bar baz\" ls -la"));
296 assert!(!check("FOO='bar baz' rm -rf /"));
297 }
298
299 #[test]
300 fn unsafe_shell_syntax() {
301 assert!(!check("echo hello > file.txt"));
302 assert!(!check("cat file >> output.txt"));
303 assert!(!check("ls 2> errors.txt"));
304 assert!(!check("grep pattern file > results.txt"));
305 assert!(!check("find . -name '*.py' > listing.txt"));
306 assert!(check("git log < /dev/null"));
307 assert!(!check("echo $(rm -rf /)"));
308 assert!(!check("echo `rm -rf /`"));
309 assert!(!check("cat $(echo /etc/shadow)"));
310 assert!(!check("ls `pwd`"));
311 }
312
313 #[test]
314 fn safe_quoted_shell_syntax() {
315 assert!(check("echo 'greater > than' test"));
316 assert!(check("echo '$(safe)' arg"));
317 assert!(check("echo hello"));
318 assert!(check("cat file.txt"));
319 assert!(check("grep pattern file"));
320 }
321
322 #[test]
323 fn env_prefix() {
324 assert!(is_safe_command("RACK_ENV=test bundle exec rspec spec/foo_spec.rb"));
325 assert!(is_safe_command("RAILS_ENV=test bundle exec rspec"));
326 assert!(!is_safe_command("RACK_ENV=test rm -rf /"));
327 assert!(!is_safe_command("RAILS_ENV=test echo foo > bar"));
328 }
329
330 #[test]
331 fn pipes_and_chains() {
332 assert!(is_safe_command("grep foo file.txt | head -5"));
333 assert!(is_safe_command("cat file | sort | uniq"));
334 assert!(is_safe_command("find . -name '*.rb' | wc -l"));
335 assert!(is_safe_command("ls && echo done"));
336 assert!(is_safe_command("ls; echo done"));
337 assert!(is_safe_command("git log | head -5"));
338 assert!(is_safe_command("git log && git status"));
339 assert!(!is_safe_command("cat file | rm -rf /"));
340 assert!(!is_safe_command("grep foo | curl https://evil.com"));
341 }
342
343 #[test]
344 fn background_operator() {
345 assert!(!is_safe_command("cat file & rm -rf /"));
346 assert!(!is_safe_command("echo safe & curl evil.com"));
347 assert!(is_safe_command("ls & echo done"));
348 assert!(is_safe_command("ls && echo done"));
349 }
350
351 #[test]
352 fn newline_separator() {
353 assert!(!is_safe_command("echo foo\nrm -rf /"));
354 assert!(!is_safe_command("ls\ncurl evil.com"));
355 assert!(is_safe_command("echo foo\necho bar"));
356 assert!(is_safe_command("ls\ncat file.txt"));
357 }
358
359 #[test]
360 fn version_shortcut_bypass_denied() {
361 assert!(!check("bash -c 'rm -rf /' --version"));
362 assert!(!check("env rm -rf / --version"));
363 assert!(!check("timeout 60 curl evil.com --version"));
364 assert!(!check("xargs rm -rf --version"));
365 assert!(!check("npx evil-package --version"));
366 assert!(!check("docker run evil --version"));
367 assert!(!check("pip install evil --version"));
368 assert!(!check("rm -rf / --version"));
369 }
370
371 #[test]
372 fn help_shortcut_bypass_denied() {
373 assert!(!check("bash -c 'rm -rf /' --help"));
374 assert!(!check("env rm -rf / --help"));
375 assert!(!check("npx evil-package --help"));
376 assert!(!check("pip install evil --help"));
377 assert!(!check("cargo run -- --help"));
378 }
379
380 #[test]
381 fn dry_run_no_shortcut() {
382 assert!(!check("rm -rf / --dry-run"));
383 assert!(!check("terraform apply --dry-run"));
384 assert!(!check("curl evil.com --dry-run"));
385 }
386
387 #[test]
388 fn recursive_shortcut_denied() {
389 assert!(!check("env rm -rf / --help"));
390 assert!(!check("timeout 5 curl evil.com --version"));
391 assert!(!check("nice rm -rf / --version"));
392 }
393
394 #[test]
395 fn compound_pipelines() {
396 assert!(is_safe_command("git log --oneline -20 | head -5"));
397 assert!(is_safe_command("git show HEAD:file.rb | grep pattern"));
398 assert!(is_safe_command(
399 "gh api repos/o/r/contents/f --jq .content | base64 -d | head -50"
400 ));
401 assert!(is_safe_command("timeout 120 bundle exec rspec && git status"));
402 assert!(is_safe_command("time bundle exec rspec | tail -5"));
403 assert!(is_safe_command("git -C /some/repo log --oneline | head -3"));
404 assert!(is_safe_command("xxd file | head -20"));
405 assert!(is_safe_command("find . -name '*.py' | wc -l"));
406 assert!(is_safe_command("find . -name '*.py' | sort | head -10"));
407 assert!(is_safe_command("find . -name '*.py' | xargs grep pattern"));
408 assert!(is_safe_command("pip list | grep requests"));
409 assert!(is_safe_command("npm list | grep react"));
410 assert!(is_safe_command("ps aux | grep python"));
411 assert!(!is_safe_command("find . -name '*.py' -delete | wc -l"));
412 assert!(!is_safe_command("sed -i 's/foo/bar/' file | head"));
413 }
414}