Skip to content

Allowlist philosophy and security hardening#43

Merged
ldayton merged 6 commits intomainfrom
fix-cmdsub-security-gaps
Jan 17, 2026
Merged

Allowlist philosophy and security hardening#43
ldayton merged 6 commits intomainfrom
fix-cmdsub-security-gaps

Conversation

@ldayton
Copy link
Owner

@ldayton ldayton commented Jan 17, 2026
edited
Loading

Summary

  • Pure allowlist philosophy: removed UNSAFE_PATTERNS blocklist. Unknown commands default to ask.
  • Security hardening: analyze command substitutions in all contexts (for-arith, param expansions, heredocs, backticks)
  • Cleanup: renamed patterns.py → allowlists.py, removed 347 lines of dead code from parser.py

@ldayton
Analyze cmdsubs in all word contexts (#43)
f15bcc6 
Command substitutions were not being analyzed in several contexts:
- for loop iteration words
- select word list
- case word
- redirect targets
- subshell and brace-group redirects

This could allow dangerous commands like `rm` to execute undetected
when embedded in these constructs.
@ldayton
Analyze cmdsubs in arith-cmd redirects, for-arith expressions, and pa…
8c8c15b 
…ram expansions

Additional security gaps found and fixed:
- arith-cmd: check redirects on (( expr )) constructs
- for-arith: extract and analyze $(cmd) in init/cond/incr strings
- param expansion: analyze cmdsubs in ${x:-$(cmd)} style constructs

Adds _analyze_string_cmdsubs() helper to parse $(cmd) from raw strings
where Parable doesn't provide full AST nodes.
@ldayton
Analyze cmdsubs in backticks and unquoted heredocs
d8b0d13 
- Add backtick command substitution detection to _analyze_string_cmdsubs
- Analyze unquoted heredoc content for command substitutions
- Quoted heredocs (<<'EOF') are safely skipped as they don't expand
@ldayton
Remove UNSAFE_PATTERNS - rely on conservative default
099de16 
The allowlist approach means unknown commands default to ask.
UNSAFE_PATTERNS was redundant since both matched and unmatched
unknown commands resulted in ask.

Update test expectations for more descriptive reason strings.
@ldayton
Rename patterns.py to allowlists.py, PREFIX_COMMANDS to WRAPPER_COMMANDS
6f0fbca
@ldayton
Remove legacy functions from parser.py
9b93208 
Analyzer now handles all AST walking directly. Keep only tokenize().
@ldayton ldayton changed the title Analyze cmdsubs in all word contexts Allowlist philosophy and security hardening Jan 17, 2026
@ldayton ldayton merged commit 8159c95 into main Jan 17, 2026
2 checks passed
@ldayton ldayton deleted the fix-cmdsub-security-gaps branch January 17, 2026 10:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ldayton