feat: Support modifying the command filtering list of the exec tool (#410)

pkg/agent/loop.go

@@ -71,7 +71,7 @@ func createToolRegistry(workspace string, restrict bool, cfg *config.Config, msg
 	registry.Register(tools.NewAppendFileTool(workspace, restrict))
 
 	// Shell execution
-	registry.Register(tools.NewExecTool(workspace, restrict))
+	registry.Register(tools.NewExecToolWithConfig(workspace, restrict, cfg))
 
 	if searchTool := tools.NewWebSearchTool(tools.WebSearchToolOptions{
 		BraveAPIKey:          cfg.Tools.Web.Brave.APIKey,

pkg/config/config.go

@@ -227,9 +227,15 @@ type CronToolsConfig struct {
 	ExecTimeoutMinutes int `json:"exec_timeout_minutes" env:"PICOCLAW_TOOLS_CRON_EXEC_TIMEOUT_MINUTES"` // 0 means no timeout
 }
 
+type ExecConfig struct {
+	EnableDenyPatterns bool     `json:"enable_deny_patterns" env:"PICOCLAW_TOOLS_EXEC_ENABLE_DENY_PATTERNS"`
+	CustomDenyPatterns []string `json:"custom_deny_patterns" env:"PICOCLAW_TOOLS_EXEC_CUSTOM_DENY_PATTERNS"`
+}
+
 type ToolsConfig struct {
 	Web  WebToolsConfig  `json:"web"`
 	Cron CronToolsConfig `json:"cron"`
+	Exec ExecConfig      `json:"exec"`
 }
 
 func DefaultConfig() *Config {
@@ -347,6 +353,9 @@ func DefaultConfig() *Config {
 			Cron: CronToolsConfig{
 				ExecTimeoutMinutes: 5, // default 5 minutes for LLM operations
 			},
+			Exec: ExecConfig{
+				EnableDenyPatterns: true,
+			},
 		},
 		Heartbeat: HeartbeatConfig{
 			Enabled:  true,

pkg/tools/cron.go

@@ -7,6 +7,7 @@ import (
 	"time"
 
 	"github.com/sipeed/picoclaw/pkg/bus"
+	"github.com/sipeed/picoclaw/pkg/config"
 	"github.com/sipeed/picoclaw/pkg/cron"
 	"github.com/sipeed/picoclaw/pkg/utils"
 )
@@ -29,9 +30,9 @@ type CronTool struct {
 
 // NewCronTool creates a new CronTool
 // execTimeout: 0 means no timeout, >0 sets the timeout duration
-func NewCronTool(cronService *cron.CronService, executor JobExecutor, msgBus *bus.MessageBus, workspace string, restrict bool, execTimeout time.Duration) *CronTool {
-	execTool := NewExecTool(workspace, restrict)
-	execTool.SetTimeout(execTimeout) // 0 means no timeout
+func NewCronTool(cronService *cron.CronService, executor JobExecutor, msgBus *bus.MessageBus, workspace string, restrict bool, execTimeout time.Duration, config *config.Config) *CronTool {
+	execTool := NewExecToolWithConfig(workspace, restrict, config)
+	execTool.SetTimeout(execTimeout)
 	return &CronTool{
 		cronService: cronService,
 		executor:    executor,

pkg/tools/shell.go

@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"fmt"
+	"github.com/sipeed/picoclaw/pkg/config"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -21,50 +22,82 @@ type ExecTool struct {
 	restrictToWorkspace bool
 }
 
+var defaultDenyPatterns = []*regexp.Regexp{
+	regexp.MustCompile(`\brm\s+-[rf]{1,2}\b`),
+	regexp.MustCompile(`\bdel\s+/[fq]\b`),
+	regexp.MustCompile(`\brmdir\s+/s\b`),
+	regexp.MustCompile(`\b(format|mkfs|diskpart)\b\s`), // Match disk wiping commands (must be followed by space/args)
+	regexp.MustCompile(`\bdd\s+if=`),
+	regexp.MustCompile(`>\s*/dev/sd[a-z]\b`), // Block writes to disk devices (but allow /dev/null)
+	regexp.MustCompile(`\b(shutdown|reboot|poweroff)\b`),
+	regexp.MustCompile(`:\(\)\s*\{.*\};\s*:`),
+	regexp.MustCompile(`\$\([^)]+\)`),
+	regexp.MustCompile(`\$\{[^}]+\}`),
+	regexp.MustCompile("`[^`]+`"),
+	regexp.MustCompile(`\|\s*sh\b`),
+	regexp.MustCompile(`\|\s*bash\b`),
+	regexp.MustCompile(`;\s*rm\s+-[rf]`),
+	regexp.MustCompile(`&&\s*rm\s+-[rf]`),
+	regexp.MustCompile(`\|\|\s*rm\s+-[rf]`),
+	regexp.MustCompile(`>\s*/dev/null\s*>&?\s*\d?`),
+	regexp.MustCompile(`<<\s*EOF`),
+	regexp.MustCompile(`\$\(\s*cat\s+`),
+	regexp.MustCompile(`\$\(\s*curl\s+`),
+	regexp.MustCompile(`\$\(\s*wget\s+`),
+	regexp.MustCompile(`\$\(\s*which\s+`),
+	regexp.MustCompile(`\bsudo\b`),
+	regexp.MustCompile(`\bchmod\s+[0-7]{3,4}\b`),
+	regexp.MustCompile(`\bchown\b`),
+	regexp.MustCompile(`\bpkill\b`),
+	regexp.MustCompile(`\bkillall\b`),
+	regexp.MustCompile(`\bkill\s+-[9]\b`),
+	regexp.MustCompile(`\bcurl\b.*\|\s*(sh|bash)`),
+	regexp.MustCompile(`\bwget\b.*\|\s*(sh|bash)`),
+	regexp.MustCompile(`\bnpm\s+install\s+-g\b`),
+	regexp.MustCompile(`\bpip\s+install\s+--user\b`),
+	regexp.MustCompile(`\bapt\s+(install|remove|purge)\b`),
+	regexp.MustCompile(`\byum\s+(install|remove)\b`),
+	regexp.MustCompile(`\bdnf\s+(install|remove)\b`),
+	regexp.MustCompile(`\bdocker\s+run\b`),
+	regexp.MustCompile(`\bdocker\s+exec\b`),
+	regexp.MustCompile(`\bgit\s+push\b`),
+	regexp.MustCompile(`\bgit\s+force\b`),
+	regexp.MustCompile(`\bssh\b.*@`),
+	regexp.MustCompile(`\beval\b`),
+	regexp.MustCompile(`\bsource\s+.*\.sh\b`),
+}
+
 func NewExecTool(workingDir string, restrict bool) *ExecTool {
-	denyPatterns := []*regexp.Regexp{
-		regexp.MustCompile(`\brm\s+-[rf]{1,2}\b`),
-		regexp.MustCompile(`\bdel\s+/[fq]\b`),
-		regexp.MustCompile(`\brmdir\s+/s\b`),
-		regexp.MustCompile(`\b(format|mkfs|diskpart)\b\s`), // Match disk wiping commands (must be followed by space/args)
-		regexp.MustCompile(`\bdd\s+if=`),
-		regexp.MustCompile(`>\s*/dev/sd[a-z]\b`), // Block writes to disk devices (but allow /dev/null)
-		regexp.MustCompile(`\b(shutdown|reboot|poweroff)\b`),
-		regexp.MustCompile(`:\(\)\s*\{.*\};\s*:`),
-		regexp.MustCompile(`\$\([^)]+\)`),
-		regexp.MustCompile(`\$\{[^}]+\}`),
-		regexp.MustCompile("`[^`]+`"),
-		regexp.MustCompile(`\|\s*sh\b`),
-		regexp.MustCompile(`\|\s*bash\b`),
-		regexp.MustCompile(`;\s*rm\s+-[rf]`),
-		regexp.MustCompile(`&&\s*rm\s+-[rf]`),
-		regexp.MustCompile(`\|\|\s*rm\s+-[rf]`),
-		regexp.MustCompile(`>\s*/dev/null\s*>&?\s*\d?`),
-		regexp.MustCompile(`<<\s*EOF`),
-		regexp.MustCompile(`\$\(\s*cat\s+`),
-		regexp.MustCompile(`\$\(\s*curl\s+`),
-		regexp.MustCompile(`\$\(\s*wget\s+`),
-		regexp.MustCompile(`\$\(\s*which\s+`),
-		regexp.MustCompile(`\bsudo\b`),
-		regexp.MustCompile(`\bchmod\s+[0-7]{3,4}\b`),
-		regexp.MustCompile(`\bchown\b`),
-		regexp.MustCompile(`\bpkill\b`),
-		regexp.MustCompile(`\bkillall\b`),
-		regexp.MustCompile(`\bkill\s+-[9]\b`),
-		regexp.MustCompile(`\bcurl\b.*\|\s*(sh|bash)`),
-		regexp.MustCompile(`\bwget\b.*\|\s*(sh|bash)`),
-		regexp.MustCompile(`\bnpm\s+install\s+-g\b`),
-		regexp.MustCompile(`\bpip\s+install\s+--user\b`),
-		regexp.MustCompile(`\bapt\s+(install|remove|purge)\b`),
-		regexp.MustCompile(`\byum\s+(install|remove)\b`),
-		regexp.MustCompile(`\bdnf\s+(install|remove)\b`),
-		regexp.MustCompile(`\bdocker\s+run\b`),
-		regexp.MustCompile(`\bdocker\s+exec\b`),
-		regexp.MustCompile(`\bgit\s+push\b`),
-		regexp.MustCompile(`\bgit\s+force\b`),
-		regexp.MustCompile(`\bssh\b.*@`),
-		regexp.MustCompile(`\beval\b`),
-		regexp.MustCompile(`\bsource\s+.*\.sh\b`),
+	return NewExecToolWithConfig(workingDir, restrict, nil)
+}
+
+func NewExecToolWithConfig(workingDir string, restrict bool, config *config.Config) *ExecTool {
+	denyPatterns := make([]*regexp.Regexp, 0)
+
+	enableDenyPatterns := true
+	if config != nil {
+		execConfig := config.Tools.Exec
+		enableDenyPatterns = execConfig.EnableDenyPatterns
+		if enableDenyPatterns {
+			if len(execConfig.CustomDenyPatterns) > 0 {
+				fmt.Printf("Using custom deny patterns: %v\n", execConfig.CustomDenyPatterns)
+				for _, pattern := range execConfig.CustomDenyPatterns {
+					re, err := regexp.Compile(pattern)
+					if err != nil {
+						fmt.Printf("Invalid custom deny pattern %q: %v\n", pattern, err)
+						continue
+					}
+					denyPatterns = append(denyPatterns, re)
+				}
+			} else {
+				denyPatterns = append(denyPatterns, defaultDenyPatterns...)
+			}
+		} else {
+			// If deny patterns are disabled, we won't add any patterns, allowing all commands.
+			fmt.Println("Warning: deny patterns are disabled. All commands will be allowed.")
+		}
+	} else {
+		denyPatterns = append(denyPatterns, defaultDenyPatterns...)
 	}
 
 	return &ExecTool{