utils/permissions/dangerousPatterns.ts at main

oppi.li / claude-code
fork atom
source dump of claude code
fork atom
claude-code / utils / permissions / dangerousPatterns.ts
at main 80 lines 2.5 kB view raw
wrap content
oppi.li dump from zip 4d ago
63aada3f
 1/**
 2 * Pattern lists for dangerous shell-tool allow-rule prefixes.
 3 *
 4 * An allow rule like `Bash(python:*)` or `PowerShell(node:*)` lets the model
 5 * run arbitrary code via that interpreter, bypassing the auto-mode classifier.
 6 * These lists feed the isDangerous{Bash,PowerShell}Permission predicates in
 7 * permissionSetup.ts, which strip such rules at auto-mode entry.
 8 *
 9 * The matcher in each predicate handles the rule-shape variants (exact, `:*`,
10 * trailing `*`, ` *`, ` -…*`). PS-specific cmdlet strings live in
11 * isDangerousPowerShellPermission (permissionSetup.ts).
12 */
13
14/**
15 * Cross-platform code-execution entry points present on both Unix and Windows.
16 * Shared to prevent the two lists drifting apart on interpreter additions.
17 */
18export const CROSS_PLATFORM_CODE_EXEC = [
19  // Interpreters
20  'python',
21  'python3',
22  'python2',
23  'node',
24  'deno',
25  'tsx',
26  'ruby',
27  'perl',
28  'php',
29  'lua',
30  // Package runners
31  'npx',
32  'bunx',
33  'npm run',
34  'yarn run',
35  'pnpm run',
36  'bun run',
37  // Shells reachable from both (Git Bash / WSL on Windows, native on Unix)
38  'bash',
39  'sh',
40  // Remote arbitrary-command wrapper (native OpenSSH on Win10+)
41  'ssh',
42] as const
43
44export const DANGEROUS_BASH_PATTERNS: readonly string[] = [
45  ...CROSS_PLATFORM_CODE_EXEC,
46  'zsh',
47  'fish',
48  'eval',
49  'exec',
50  'env',
51  'xargs',
52  'sudo',
53  // Anthropic internal: ant-only tools plus general tools that ant sandbox
54  // dotfile data shows are commonly over-allowlisted as broad prefixes.
55  // These stay ant-only — external users don't have coo, and the rest are
56  // an empirical-risk call grounded in ant sandbox data, not a universal
57  // "this tool is unsafe" judgment. PS may want these once it has usage data.
58  ...(process.env.USER_TYPE === 'ant'
59    ? [
60        'fa run',
61        // Cluster code launcher — arbitrary code on the cluster
62        'coo',
63        // Network/exfil: gh gist create --public, gh api arbitrary HTTP,
64        // curl/wget POST. gh api needs its own entry — the matcher is
65        // exact-shape, not prefix, so pattern 'gh' alone does not catch
66        // rule 'gh api:*' (same reason 'npm run' is separate from 'npm').
67        'gh',
68        'gh api',
69        'curl',
70        'wget',
71        // git config core.sshCommand / hooks install = arbitrary code
72        'git',
73        // Cloud resource writes (s3 public buckets, k8s mutations)
74        'kubectl',
75        'aws',
76        'gcloud',
77        'gsutil',
78      ]
79    : []),
80]