* Detects commands with malformed tokens (unbalanced delimiters) combined with * command separators. This catches potential injection patterns where ambiguous * shell syntax could be exploited. * * Security: This check catches the eval bypass discovered in HackerOne review. * When shell-quote p
( context: ValidationContext, )
| 1080 | * what will be executed before approving. |
| 1081 | */ |
| 1082 | function validateMalformedTokenInjection( |
| 1083 | context: ValidationContext, |
| 1084 | ): PermissionResult { |
| 1085 | const { originalCommand } = context |
| 1086 | |
| 1087 | const parseResult = tryParseShellCommand(originalCommand) |
| 1088 | if (!parseResult.success) { |
| 1089 | // Parse failed - this is handled elsewhere (bashToolHasPermission checks this) |
| 1090 | return { |
| 1091 | behavior: 'passthrough', |
| 1092 | message: 'Parse failed, handled elsewhere', |
| 1093 | } |
| 1094 | } |
| 1095 | |
| 1096 | const parsed = parseResult.tokens |
| 1097 | |
| 1098 | // Check for command separators (;, &&, ||) |
| 1099 | const hasCommandSeparator = parsed.some( |
| 1100 | entry => |
| 1101 | typeof entry === 'object' && |
| 1102 | entry !== null && |
| 1103 | 'op' in entry && |
| 1104 | (entry.op === ';' || entry.op === '&&' || entry.op === '||'), |
| 1105 | ) |
| 1106 | |
| 1107 | if (!hasCommandSeparator) { |
| 1108 | return { behavior: 'passthrough', message: 'No command separators' } |
| 1109 | } |
| 1110 | |
| 1111 | // Check for malformed tokens (unbalanced delimiters) |
| 1112 | if (hasMalformedTokens(originalCommand, parsed)) { |
| 1113 | logEvent('tengu_bash_security_check_triggered', { |
| 1114 | checkId: BASH_SECURITY_CHECK_IDS.MALFORMED_TOKEN_INJECTION, |
| 1115 | subId: 1, |
| 1116 | }) |
| 1117 | return { |
| 1118 | behavior: 'ask', |
| 1119 | message: |
| 1120 | 'Command contains ambiguous syntax with command separators that could be misinterpreted', |
| 1121 | } |
| 1122 | } |
| 1123 | |
| 1124 | return { |
| 1125 | behavior: 'passthrough', |
| 1126 | message: 'No malformed token injection detected', |
| 1127 | } |
| 1128 | } |
| 1129 | |
| 1130 | function validateObfuscatedFlags(context: ValidationContext): PermissionResult { |
| 1131 | // Block shell quoting bypass patterns used to circumvent negative lookaheads we use in our regexes to block known dangerous flags |
nothing calls this directly
no test coverage detected