Skip to content

P0: Shell parsing — structured argv or real shell parser #64

New issue
New issue
Open
Open
P0: Shell parsing — structured argv or real shell parser#64
Labels
enhancementNew feature or request
@galic1987

Description

@galic1987
galic1987
opened on Mar 9, 2026

Source

ChatGPT security review feedback

Problem

split_shell_commands() doesn't handle subshell, process substitution, or heredocs, meaning policy checks can be bypassed with crafted shell input.

Fix — two viable directions:

Option A (security-first):

  • Make the tool accept { program, args[], cwd, env } (structured argv)
  • Only allow shell strings in YOLO / user-confirmed modes
  • Eliminates parsing ambiguity entirely

Option B (power-user):

  • Integrate a real shell parser (parse to AST)
  • Apply safety rules on AST nodes
  • Reject unknown/unsupported AST nodes by default

Note: Whitespace normalization for the denylist was already added (collapsing runs of whitespace before pattern matching). This issue tracks the deeper structural fix.

Relevant Code

  • src/tools/shell.rs
  • src/safety/checker.rs

Priority

P0 — defense-in-depth

Labels

security, P0

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions