mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-07-09 13:21:42 +00:00
GNU tools accept unique long-option prefix abbreviations at runtime, so `chown --recurs root` and `git push --forc` evaded the approval gate's exact-match `--recursive`/`--force` patterns. Switch those two entries to prefix matches (--recur[a-z]*, --forc[a-z]*). The rm/chmod/sed long-flag patterns were left unchanged: every abbreviation of those is already caught by the sibling short-flag and target patterns (rm -[^s]*r, base chmod 777, sed -[^s]*i), so prefix-matching them is a no-op. Only chown (beyond the coincidental case-insensitive r->R catch) and git push had genuine gaps. Co-authored-by: Subway2023 <subw3@mail2.sysu.edu.cn>
109 lines
4.2 KiB
Python
109 lines
4.2 KiB
Python
"""Tests for GNU long-option abbreviation bypass in DANGEROUS_PATTERNS.
|
|
|
|
GNU tools accept unique long-option prefix abbreviations at runtime
|
|
(e.g. ``chown --recur`` resolves to ``chown --recursive``). Two approval
|
|
patterns matched only the full flag name and could be evaded by passing a
|
|
valid abbreviation:
|
|
|
|
chown --recursive → --recur[a-z]*
|
|
git push --force → --forc[a-z]*
|
|
|
|
The other long-flag patterns (rm/chmod/sed) were already covered on every
|
|
abbreviation by sibling short-flag / target patterns, so this file only
|
|
asserts the two gaps that were genuinely open plus the relevant regression
|
|
guards.
|
|
"""
|
|
|
|
import pytest
|
|
|
|
from tools.approval import detect_dangerous_command
|
|
|
|
|
|
class TestChownRecursiveLongOptionAbbreviation:
|
|
"""chown --recur* abbreviations targeting root must be caught.
|
|
|
|
On main the bare ``--recur root`` form is caught only by an accidental
|
|
case-insensitive ``r`` → ``R`` overlap with the short-flag pattern; longer
|
|
abbreviations like ``--recurs``/``--recursi`` break that overlap and
|
|
slipped through before the prefix change.
|
|
"""
|
|
|
|
def test_chown_recursive_full_still_detected(self):
|
|
dangerous, _, desc = detect_dangerous_command("chown --recursive root /etc")
|
|
assert dangerous is True
|
|
assert "chown" in desc.lower() or "root" in desc.lower()
|
|
|
|
def test_chown_recur_root_detected(self):
|
|
dangerous, _, _ = detect_dangerous_command("chown --recur root /etc")
|
|
assert dangerous is True
|
|
|
|
def test_chown_recurs_root_detected(self):
|
|
dangerous, _, _ = detect_dangerous_command("chown --recurs root:root /var")
|
|
assert dangerous is True, "chown --recurs is a valid abbreviation of --recursive"
|
|
|
|
def test_chown_recursi_root_detected(self):
|
|
dangerous, _, _ = detect_dangerous_command("chown --recursi root /etc")
|
|
assert dangerous is True
|
|
|
|
def test_chown_recur_non_root_not_flagged(self):
|
|
"""--recur* chown to a non-root user must not be flagged."""
|
|
dangerous, _, _ = detect_dangerous_command("chown --recur nobody /opt/app")
|
|
assert dangerous is False
|
|
|
|
|
|
class TestGitPushForceLongOptionAbbreviation:
|
|
"""git push --forc* abbreviations must be caught.
|
|
|
|
The short ``-f`` pattern does not catch ``--forc`` (the ``\\b`` after the
|
|
``f`` does not match mid-word), so abbreviated long forms slipped through.
|
|
"""
|
|
|
|
def test_git_push_force_full_still_detected(self):
|
|
dangerous, _, desc = detect_dangerous_command("git push --force origin main")
|
|
assert dangerous is True
|
|
assert "force" in desc.lower()
|
|
|
|
def test_git_push_forc_abbreviation_detected(self):
|
|
dangerous, _, _ = detect_dangerous_command("git push --forc origin main")
|
|
assert dangerous is True, "git push --forc is a valid abbreviation of --force"
|
|
|
|
def test_git_push_forced_variant_detected(self):
|
|
dangerous, _, _ = detect_dangerous_command("git push --forced origin main")
|
|
assert dangerous is True
|
|
|
|
def test_git_push_force_with_lease_detected(self):
|
|
dangerous, _, _ = detect_dangerous_command(
|
|
"git push --force-with-lease origin main"
|
|
)
|
|
assert dangerous is True
|
|
|
|
def test_git_push_short_f_still_detected(self):
|
|
"""Existing -f pattern must not regress."""
|
|
dangerous, _, _ = detect_dangerous_command("git push -f origin main")
|
|
assert dangerous is True
|
|
|
|
def test_git_push_no_force_not_flagged(self):
|
|
dangerous, _, _ = detect_dangerous_command("git push origin main")
|
|
assert dangerous is False
|
|
|
|
def test_git_push_set_upstream_not_flagged(self):
|
|
dangerous, _, _ = detect_dangerous_command(
|
|
"git push --set-upstream origin feature"
|
|
)
|
|
assert dangerous is False
|
|
|
|
|
|
class TestFullFormRegressions:
|
|
"""The two changed long-flag patterns must still detect their full form."""
|
|
|
|
@pytest.mark.parametrize(
|
|
"cmd",
|
|
[
|
|
"chown --recursive root /etc",
|
|
"git push --force origin main",
|
|
],
|
|
)
|
|
def test_full_form_still_detected(self, cmd):
|
|
dangerous, key, _ = detect_dangerous_command(cmd)
|
|
assert dangerous is True, f"Full-form long flag not detected in: {cmd!r}"
|
|
assert key is not None
|