Module presets

Expand description

Ready-made sanitizer configurations for common threat models.

Each preset returns a fully configured Sanitizer with rules matched to a specific use case. Choose based on how the validated value will be consumed:

Preset	Target context	Rules
`command_arg`	`Command::new().arg()`	ControlChar
`shell_command`	`sh -c`, SSH, popen	ShellMeta + ControlChar + EnvExpansion + Glob
`file_path`	Upload dest, include	PathTraversal + ControlChar
`file_path_absolute`	Config file, absolute OK	PathTraversal(allow_abs) + ControlChar
`strict`	SSH remote path ops, max protection	All 5 rules

§AI agent use case

When an LLM generates tool calls (e.g. Claude Code, Copilot, Devin), treat the data arguments as untrusted input — indirect prompt injection can manipulate what the AI produces.

§What this crate CAN validate

Path arguments from structured tool calls — this is the primary value for AI agents:

AI: { tool: "read_file", path: "../../etc/shadow" }
                                ^^^^^^^^^^^^^^^^
                                file_path() catches this

AI: { tool: "write_file", path: "/etc/crontab" }
                                ^^^^^^^^^^^^^
                                file_path() catches this

Individual arguments when the framework provides structured tool calls:

AI: { tool: "git_clone", url: "https://evil.com; rm -rf /" }
                               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                               shell_command() catches the `;`

Template slots when a trusted template is filled with AI data:

Template (hardcoded):  "rsync -avz {} {}"
Slot 1 (file_path):    validated_src
Slot 2 (shell_command): validated_dest

§What this crate CANNOT validate

Free-form bash command strings — the AI generates the entire command, not just arguments:

AI: Bash("git diff HEAD~3")           ← legitimate
AI: Bash("git diff HEAD~3; rm -rf /") ← injection

Sanitizing the full string would break the legitimate command.
This requires: sandbox, container isolation, command allowlist.

§Preset selection for AI tool calls

AI tool type	Preset	Example
File read/write	`file_path`	`read("src/lib.rs")`
Config file	`file_path_absolute`	`read("/etc/app/config.toml")`
Shell arg slot	`shell_command`	`ssh("deploy {tag}")`
`Command::new().arg()`	`command_arg`	`git.arg(branch_name)`
Unknown context	`strict`	any mixed-use value
Free-form bash	out of scope	`Bash("cd repo && make")`

§Known limitations

These presets do not defend against:

Free-form command strings — use sandbox/container isolation.
Argument injection (--upload-pack=evil) — a flag prefixed with -- is valid shell text. Use -- separators or command-specific validation.
URL-encoded bypasses (%2e%2e) — decode input before sanitizing.
Semantic attacks — a path like safe/but/wrong/file.txt passes all rules but may still be the wrong file.

Functions§

command_arg: Minimal validation for Command::new().arg() contexts.
file_path: Sanitizer for relative file paths.
file_path_absolute: Sanitizer for file paths where absolute paths are acceptable.
shell_command: Sanitizer for values interpolated into shell command strings.
strict: Maximum-protection sanitizer with all rules enabled.

Module presets

Module presets Copy item path

§AI agent use case

§What this crate CAN validate

§What this crate CANNOT validate

§Preset selection for AI tool calls

§Known limitations

Functions§

Module presets