vtcode_bash_runner/
policy.rs1use crate::executor::{CommandCategory, CommandInvocation};
2use anyhow::{Result, bail};
3use hashbrown::HashSet;
4use std::path::Path;
5use std::sync::Arc;
6use vtcode_commons::WorkspacePaths;
7
8pub trait CommandPolicy: Send + Sync {
9 fn check(&self, invocation: &CommandInvocation) -> Result<()>;
10}
11
12pub struct AllowAllPolicy;
13
14impl CommandPolicy for AllowAllPolicy {
15 fn check(&self, _invocation: &CommandInvocation) -> Result<()> {
16 Ok(())
17 }
18}
19
20#[derive(Clone)]
21pub struct WorkspaceGuardPolicy {
22 workspace: Arc<dyn WorkspacePaths>,
23 allowed_commands: Option<HashSet<CommandCategory>>,
24}
25
26impl WorkspaceGuardPolicy {
27 pub fn new(workspace: Arc<dyn WorkspacePaths>) -> Self {
28 Self {
29 workspace,
30 allowed_commands: None,
31 }
32 }
33
34 pub fn with_allowed_commands(
35 mut self,
36 commands: impl IntoIterator<Item = CommandCategory>,
37 ) -> Self {
38 self.allowed_commands = Some(commands.into_iter().collect());
39 self
40 }
41
42 fn ensure_within_workspace(&self, path: &Path) -> Result<()> {
43 let root = self.workspace.workspace_root();
44 vtcode_commons::paths::ensure_path_within_workspace(path, root).map_err(|error| {
45 error.context(format!(
46 "path `{}` escapes the workspace root `{}`",
47 path.display(),
48 root.display()
49 ))
50 })?;
51 Ok(())
52 }
53}
54
55impl CommandPolicy for WorkspaceGuardPolicy {
56 fn check(&self, invocation: &CommandInvocation) -> Result<()> {
57 if let Some(allowed) = &self.allowed_commands
58 && !allowed.contains(&invocation.category)
59 {
60 bail!(
61 "command category {:?} is not permitted",
62 invocation.category
63 );
64 }
65
66 self.ensure_within_workspace(&invocation.working_dir)?;
67
68 for path in &invocation.touched_paths {
69 self.ensure_within_workspace(path)?;
70 }
71
72 Ok(())
73 }
74}
75
76#[cfg(test)]
77mod tests {
78 use super::*;
79 use crate::executor::ShellKind;
80 use std::path::PathBuf;
81
82 struct StaticWorkspace {
83 root: PathBuf,
84 }
85
86 impl WorkspacePaths for StaticWorkspace {
87 fn workspace_root(&self) -> &Path {
88 &self.root
89 }
90
91 fn config_dir(&self) -> PathBuf {
92 self.root.join("config")
93 }
94 }
95
96 fn policy() -> WorkspaceGuardPolicy {
97 WorkspaceGuardPolicy::new(Arc::new(StaticWorkspace {
98 root: PathBuf::from("/tmp/workspace"),
99 }))
100 }
101
102 fn invocation(working_dir: &str, touched: &[&str]) -> CommandInvocation {
103 CommandInvocation::new(
104 ShellKind::Unix,
105 "true".to_string(),
106 CommandCategory::ListDirectory,
107 PathBuf::from(working_dir),
108 )
109 .with_paths(touched.iter().map(PathBuf::from).collect())
110 }
111
112 #[test]
113 fn accepts_paths_inside_workspace() {
114 let invocation = invocation("/tmp/workspace/src", &["/tmp/workspace/file.txt"]);
115 assert!(policy().check(&invocation).is_ok());
116 }
117
118 #[test]
119 fn rejects_working_dir_traversal_escape() {
120 let invocation = invocation("/tmp/workspace/../etc", &[]);
121 assert!(policy().check(&invocation).is_err());
122 }
123
124 #[test]
125 fn rejects_touched_path_traversal_escape() {
126 let invocation = invocation("/tmp/workspace", &["/tmp/workspace/../../etc/passwd"]);
127 assert!(policy().check(&invocation).is_err());
128 }
129
130 #[test]
131 fn accepts_traversal_that_stays_inside_workspace() {
132 let invocation = invocation("/tmp/workspace/src/../src", &[]);
133 assert!(policy().check(&invocation).is_ok());
134 }
135
136 #[test]
137 fn rejects_path_outside_workspace() {
138 let invocation = invocation("/tmp/other", &[]);
139 assert!(policy().check(&invocation).is_err());
140 }
141}