fix(powershell): windows security enhancement, sec deny powershell encoding bypass via iex inje… (#2836)

* fix(powershell):  sec deny  powershell encoding bypass   via iex injection.

* fix(exec): security guard bypass fixes for PowerShell/CMD encoding and path traversal

- Split deny patterns into defaultDenyPatterns (all platforms) and
  windowsDenyPatterns (Windows-only) to avoid false positives
- Add PowerShell encoding bypass detection:
  - [Text.Encoding] and [System.Text.Encoding] variants
  - -EncodedCommand short forms (-e, -ec, -enc)
  - .GetString([byte[]] with whitespace variations
  - FromBase64String decoding
  - PowerShell variable = [byte[](...) patterns
  - Literal \uXXXX Unicode escape sequences
- Expand PowerShell ($env:VAR) and CMD (%VAR%) environment variables
  before workspace path checking to prevent $env:USERPROFILE bypass
- Expand ~ to home directory on Windows
- Add .../.../ path traversal variant detection (blocks .../.../, ..../..../)
- Add symlink/junction resolution before workspace check
- Add Windows path normalization for ADS (file.txt:stream) and
  extended-length paths (\?\)
- Add comprehensive tests for all new patterns

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(exec): fix -EncodedCommand regex and rename Windows tests with expanded payloads

- Fix -EncodedCommand regex to match all short forms: -e, -ec, -enc, -en
- Rename Windows-specific tests with TestWindows_ prefix for clarity:
  - TestWindows_TildeBypassPrevented
  - TestWindows_SymlinkBypassPrevented
  - TestWindows_PowerShellEncodingBypass
- Expand test payloads:
  - [Text.Encoding]: add UTF8 and Unicode variants
  - -EncodedCommand: add -enc and -en forms
  - Unicode escape: add multiple \uXXXX forms

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* ci: retest

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

pkg/tools/shell.go

@@ -97,6 +97,26 @@ var (
 		regexp.MustCompile(`\bsource\s+.*\.sh\b`),
 	}
 
+	// windowsDenyPatterns contains PowerShell-specific deny patterns that only
+	// apply on Windows, where commands are executed via powershell -Command.
+	windowsDenyPatterns = []*regexp.Regexp{
+		// [Text.Encoding] used to construct command strings at runtime.
+		// Matches [Text.Encoding] and [System.Text.Encoding] variants.
+		regexp.MustCompile(`\[(?:\w+\.)?text\.encoding\]`),
+		// PowerShell -EncodedCommand flag (base64-encoded command) and all short forms.
+		// Matches: -e, -ec, -enc, -en, -EncodedCommand (all with space prefix)
+		regexp.MustCompile(` -e(?:$|\s)| -ec(?:$|\s)| -enc(?:$|\s)| -en(?:$|\s)| -encodedcommand\b`),
+		// .GetString called on byte array to decode commands.
+		regexp.MustCompile(`\.getstring\s*\(\s*\[byte\[\]`),
+		// FromBase64String used in command construction chain.
+		regexp.MustCompile(`frombase64string\(`),
+		// PowerShell variable holding byte array used in GetString.
+		regexp.MustCompile(`\$[a-zA-Z_]\w*\s*=\s*\[byte\[\]`),
+		// Unicode escape sequences that could be used to construct commands.
+		// Matches \uXXXX format used to represent characters like i = "i"
+		regexp.MustCompile(`\\u[0-9a-fA-F]{4}`),
+	}
+
 	// absolutePathPattern matches absolute file paths in commands (Unix and Windows).
 	absolutePathPattern = regexp.MustCompile(`[A-Za-z]:\\[^\\\"']+|/[^\s\"']+`)
 
@@ -138,6 +158,9 @@ func NewExecToolWithConfig(
 		allowRemote = execConfig.AllowRemote
 		if enableDenyPatterns {
 			denyPatterns = append(denyPatterns, defaultDenyPatterns...)
+			if runtime.GOOS == "windows" {
+				denyPatterns = append(denyPatterns, windowsDenyPatterns...)
+			}
 			if len(execConfig.CustomDenyPatterns) > 0 {
 				fmt.Printf("Using custom deny patterns: %v\n", execConfig.CustomDenyPatterns)
 				for _, pattern := range execConfig.CustomDenyPatterns {
@@ -161,6 +184,9 @@ func NewExecToolWithConfig(
 		}
 	} else {
 		denyPatterns = append(denyPatterns, defaultDenyPatterns...)
+		if runtime.GOOS == "windows" {
+			denyPatterns = append(denyPatterns, windowsDenyPatterns...)
+		}
 	}
 
 	var timeout time.Duration
@@ -1019,6 +1045,30 @@ func (t *ExecTool) executeSendKeys(args map[string]any) *ToolResult {
 	}
 }
 
+// expandPowerShellEnvVars expands environment variable syntax used by both
+// PowerShell ($env:VAR) and CMD (%VAR%) to their actual values.
+func expandPowerShellEnvVars(cmd string) string {
+	// Handle PowerShell style: $env:VAR and ${env:VAR}
+	rePs := regexp.MustCompile(`\$\{?env:(\w+)\}?`)
+	cmd = rePs.ReplaceAllStringFunc(cmd, func(match string) string {
+		varName := rePs.FindStringSubmatch(match)[1]
+		if val := os.Getenv(varName); val != "" {
+			return val
+		}
+		return match
+	})
+
+	// Handle CMD style: %VAR%
+	reCmd := regexp.MustCompile(`%([^%]+)%`)
+	return reCmd.ReplaceAllStringFunc(cmd, func(match string) string {
+		varName := reCmd.FindStringSubmatch(match)[1]
+		if val := os.Getenv(varName); val != "" {
+			return val
+		}
+		return match
+	})
+}
+
 func (t *ExecTool) guardCommand(command, cwd string) string {
 	cmd := strings.TrimSpace(command)
 	lower := strings.ToLower(cmd)
@@ -1054,7 +1104,8 @@ func (t *ExecTool) guardCommand(command, cwd string) string {
 	}
 
 	if t.restrictToWorkspace {
-		if strings.Contains(cmd, "..\\") || strings.Contains(cmd, "../") {
+		// Block path traversal patterns including .../.../ variants
+		if regexp.MustCompile(`\.\.(?:[\\/]\.\.)*[\\/]`).MatchString(cmd) {
 			return "Command blocked by safety guard (path traversal detected)"
 		}
 
@@ -1068,6 +1119,16 @@ func (t *ExecTool) guardCommand(command, cwd string) string {
 		// file:// URIs are still validated against the workspace boundary.
 		webSchemes := []string{"http:", "https:", "ftp:", "ftps:", "sftp:", "ssh:", "git:"}
 
+		// On Windows, expand ~ and PowerShell environment variables ($env:VAR) before path checking
+		if runtime.GOOS == "windows" {
+			// Expand PowerShell environment variables ($env:VAR and ${env:VAR})
+			cmd = expandPowerShellEnvVars(cmd)
+			// Also expand ~ for completeness
+			if home, err := os.UserHomeDir(); err == nil {
+				cmd = strings.ReplaceAll(cmd, "~", filepath.FromSlash(home))
+			}
+		}
+
 		matchIndices := absolutePathPattern.FindAllStringIndex(cmd, -1)
 
 		for _, loc := range matchIndices {
@@ -1099,6 +1160,22 @@ func (t *ExecTool) guardCommand(command, cwd string) string {
 				continue
 			}
 
+			// Windows-specific: normalize paths to block ADS and extended-length paths
+			if runtime.GOOS == "windows" {
+				// Strip \\?\ prefix (extended-length path)
+				p = strings.TrimPrefix(p, `\\?\`)
+				// Strip NTFS alternate data streams (only if colon is not at position 1 = drive letter)
+				if idx := strings.Index(p, ":"); idx > 1 {
+					p = p[:idx]
+				}
+			}
+
+			// Check symlinks and junctions
+			resolved, err := filepath.EvalSymlinks(p)
+			if err == nil {
+				p = resolved
+			}
+
 			if safePaths[p] {
 				continue
 			}