fix(security): strip shell escapes in denylist normalizer; fail-closed on missing approval module

DANGEROUS_PATTERNS and HARDLINE_PATTERNS are matched on the raw command string, so backslash-escape (r\m) and empty-quote split (r''m) bypass both lists. _normalize_command_for_detection now strips these before pattern matching. tui_gateway shell.exec had a bare 'except ImportError: pass' that silently disabled the entire safety gate if tools.approval wasn't importable. Changed to fail-closed (return 5001 error). Added detect_hardline_command check. Fixes #36846, #36847.
2026-06-09 08:21:50 +00:00 · 2026-06-06 13:31:06 +05:30 · 2026-06-06 13:31:06 +05:30 · 621bf3a873
commit 621bf3a873
parent 1fb99b1f22
2 changed files with 11 additions and 2 deletions
--- a/tools/approval.py
+++ b/tools/approval.py
@ -537,6 +537,10 @@ def _normalize_command_for_detection(command: str) -> str:
    command = command.replace('\x00', '')
    # Normalize Unicode (fullwidth Latin, halfwidth Katakana, etc.)
    command = unicodedata.normalize('NFKC', command)
+    # Strip shell backslash-escapes: r\m → rm. Prevents \-injection bypass.
+    command = re.sub(r'\\([^\n])', r'\1', command)
+    # Strip empty-string literals that split tokens: r''m → rm, r""m → rm.
+    command = re.sub(r"''|\"\"", '', command)
    return command


--- a/tui_gateway/server.py
+++ b/tui_gateway/server.py
@ -8490,15 +8490,20 @@ def _(rid, params: dict) -> dict:
    if not cmd:
        return _err(rid, 4004, "empty command")
    try:
-        from tools.approval import detect_dangerous_command
+        from tools.approval import detect_dangerous_command, detect_hardline_command

+        is_hardline, hardline_desc = detect_hardline_command(cmd)
+        if is_hardline:
+            return _err(
+                rid, 4005, f"blocked (hardline): {hardline_desc}. Use the agent for dangerous commands."
+            )
        is_dangerous, _, desc = detect_dangerous_command(cmd)
        if is_dangerous:
            return _err(
                rid, 4005, f"blocked: {desc}. Use the agent for dangerous commands."
            )
    except ImportError:
-        pass
+        return _err(rid, 5001, "shell.exec unavailable: approval safety module not importable")
    try:
        r = subprocess.run(
            cmd, shell=True, capture_output=True, text=True, timeout=30, cwd=os.getcwd()