From 69dd0f7cf1f4df03e8b8e80aecc906dbd2b22d12 Mon Sep 17 00:00:00 2001 From: JasonOA888 Date: Sun, 3 May 2026 21:49:15 +0800 Subject: [PATCH] fix(approval): extend sensitive write target to cover shell RC and credential files MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Terminal commands can write to shell RC files (~/.bashrc, ~/.zshrc, ~/.profile) and credential files (~/.netrc, ~/.pgpass, ~/.npmrc, ~/.pypirc) via redirection or tee without triggering approval, even though write_file already blocks these paths in file_safety.py. This creates an inconsistency: write_file protects these paths but terminal shell redirections bypass the same protection. An agent prompted via indirect injection could install persistent backdoors (e.g. PATH manipulation, alias overrides) or write credential entries without user approval. Extend _SENSITIVE_WRITE_TARGET with two new regex groups matching the same paths that file_safety.py's WRITE_DENIED_PATHS already covers: _SHELL_RC_FILES — ~/.bashrc, ~/.zshrc, ~/.profile, ~/.bash_profile, ~/.zprofile _CREDENTIAL_FILES — ~/.netrc, ~/.pgpass, ~/.npmrc, ~/.pypirc All 130 existing tests pass. --- tools/approval.py | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/tools/approval.py b/tools/approval.py index e13c019c0a..4ece3e5be4 100644 --- a/tools/approval.py +++ b/tools/approval.py @@ -94,10 +94,20 @@ _HERMES_ENV_PATH = ( ) _PROJECT_ENV_PATH = r'(?:(?:/|\.{1,2}/)?(?:[^\s/"\'`]+/)*\.env(?:\.[^/\s"\'`]+)*)' _PROJECT_CONFIG_PATH = r'(?:(?:/|\.{1,2}/)?(?:[^\s/"\'`]+/)*config\.yaml)' +_SHELL_RC_FILES = ( + r'(?:~|\$home|\$\{home\})/\.' + r'(?:bashrc|zshrc|profile|bash_profile|zprofile)\b' +) +_CREDENTIAL_FILES = ( + r'(?:~|\$home|\$\{home\})/\.' + r'(?:netrc|pgpass|npmrc|pypirc)\b' +) _SENSITIVE_WRITE_TARGET = ( r'(?:/etc/|/dev/sd|' rf'{_SSH_SENSITIVE_PATH}|' - rf'{_HERMES_ENV_PATH})' + rf'{_HERMES_ENV_PATH}|' + rf'{_SHELL_RC_FILES}|' + rf'{_CREDENTIAL_FILES})' ) _PROJECT_SENSITIVE_WRITE_TARGET = rf'(?:{_PROJECT_ENV_PATH}|{_PROJECT_CONFIG_PATH})' _COMMAND_TAIL = r'(?:\s*(?:&&|\|\||;).*)?$'