feat: Support modifying the command filtering list of the exec tool (#410)

2026-06-12 18:08:54 +00:00 · 2026-02-18 19:31:15 +08:00
parent b77a40315e
commit eda6e37332
6 changed files with 215 additions and 50 deletions
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"fmt"
+	"github.com/sipeed/picoclaw/pkg/config"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -21,50 +22,82 @@ type ExecTool struct {
 	restrictToWorkspace bool
 }

+var defaultDenyPatterns = []*regexp.Regexp{
+	regexp.MustCompile(`\brm\s+-[rf]{1,2}\b`),
+	regexp.MustCompile(`\bdel\s+/[fq]\b`),
+	regexp.MustCompile(`\brmdir\s+/s\b`),
+	regexp.MustCompile(`\b(format|mkfs|diskpart)\b\s`), // Match disk wiping commands (must be followed by space/args)
+	regexp.MustCompile(`\bdd\s+if=`),
+	regexp.MustCompile(`>\s*/dev/sd[a-z]\b`), // Block writes to disk devices (but allow /dev/null)
+	regexp.MustCompile(`\b(shutdown|reboot|poweroff)\b`),
+	regexp.MustCompile(`:\(\)\s*\{.*\};\s*:`),
+	regexp.MustCompile(`\$\([^)]+\)`),
+	regexp.MustCompile(`\$\{[^}]+\}`),
+	regexp.MustCompile("`[^`]+`"),
+	regexp.MustCompile(`\|\s*sh\b`),
+	regexp.MustCompile(`\|\s*bash\b`),
+	regexp.MustCompile(`;\s*rm\s+-[rf]`),
+	regexp.MustCompile(`&&\s*rm\s+-[rf]`),
+	regexp.MustCompile(`\|\|\s*rm\s+-[rf]`),
+	regexp.MustCompile(`>\s*/dev/null\s*>&?\s*\d?`),
+	regexp.MustCompile(`<<\s*EOF`),
+	regexp.MustCompile(`\$\(\s*cat\s+`),
+	regexp.MustCompile(`\$\(\s*curl\s+`),
+	regexp.MustCompile(`\$\(\s*wget\s+`),
+	regexp.MustCompile(`\$\(\s*which\s+`),
+	regexp.MustCompile(`\bsudo\b`),
+	regexp.MustCompile(`\bchmod\s+[0-7]{3,4}\b`),
+	regexp.MustCompile(`\bchown\b`),
+	regexp.MustCompile(`\bpkill\b`),
+	regexp.MustCompile(`\bkillall\b`),
+	regexp.MustCompile(`\bkill\s+-[9]\b`),
+	regexp.MustCompile(`\bcurl\b.*\|\s*(sh|bash)`),
+	regexp.MustCompile(`\bwget\b.*\|\s*(sh|bash)`),
+	regexp.MustCompile(`\bnpm\s+install\s+-g\b`),
+	regexp.MustCompile(`\bpip\s+install\s+--user\b`),
+	regexp.MustCompile(`\bapt\s+(install|remove|purge)\b`),
+	regexp.MustCompile(`\byum\s+(install|remove)\b`),
+	regexp.MustCompile(`\bdnf\s+(install|remove)\b`),
+	regexp.MustCompile(`\bdocker\s+run\b`),
+	regexp.MustCompile(`\bdocker\s+exec\b`),
+	regexp.MustCompile(`\bgit\s+push\b`),
+	regexp.MustCompile(`\bgit\s+force\b`),
+	regexp.MustCompile(`\bssh\b.*@`),
+	regexp.MustCompile(`\beval\b`),
+	regexp.MustCompile(`\bsource\s+.*\.sh\b`),
+}
+
 func NewExecTool(workingDir string, restrict bool) *ExecTool {
-	denyPatterns := []*regexp.Regexp{
-		regexp.MustCompile(`\brm\s+-[rf]{1,2}\b`),
-		regexp.MustCompile(`\bdel\s+/[fq]\b`),
-		regexp.MustCompile(`\brmdir\s+/s\b`),
-		regexp.MustCompile(`\b(format|mkfs|diskpart)\b\s`), // Match disk wiping commands (must be followed by space/args)
-		regexp.MustCompile(`\bdd\s+if=`),
-		regexp.MustCompile(`>\s*/dev/sd[a-z]\b`), // Block writes to disk devices (but allow /dev/null)
-		regexp.MustCompile(`\b(shutdown|reboot|poweroff)\b`),
-		regexp.MustCompile(`:\(\)\s*\{.*\};\s*:`),
-		regexp.MustCompile(`\$\([^)]+\)`),
-		regexp.MustCompile(`\$\{[^}]+\}`),
-		regexp.MustCompile("`[^`]+`"),
-		regexp.MustCompile(`\|\s*sh\b`),
-		regexp.MustCompile(`\|\s*bash\b`),
-		regexp.MustCompile(`;\s*rm\s+-[rf]`),
-		regexp.MustCompile(`&&\s*rm\s+-[rf]`),
-		regexp.MustCompile(`\|\|\s*rm\s+-[rf]`),
-		regexp.MustCompile(`>\s*/dev/null\s*>&?\s*\d?`),
-		regexp.MustCompile(`<<\s*EOF`),
-		regexp.MustCompile(`\$\(\s*cat\s+`),
-		regexp.MustCompile(`\$\(\s*curl\s+`),
-		regexp.MustCompile(`\$\(\s*wget\s+`),
-		regexp.MustCompile(`\$\(\s*which\s+`),
-		regexp.MustCompile(`\bsudo\b`),
-		regexp.MustCompile(`\bchmod\s+[0-7]{3,4}\b`),
-		regexp.MustCompile(`\bchown\b`),
-		regexp.MustCompile(`\bpkill\b`),
-		regexp.MustCompile(`\bkillall\b`),
-		regexp.MustCompile(`\bkill\s+-[9]\b`),
-		regexp.MustCompile(`\bcurl\b.*\|\s*(sh|bash)`),
-		regexp.MustCompile(`\bwget\b.*\|\s*(sh|bash)`),
-		regexp.MustCompile(`\bnpm\s+install\s+-g\b`),
-		regexp.MustCompile(`\bpip\s+install\s+--user\b`),
-		regexp.MustCompile(`\bapt\s+(install|remove|purge)\b`),
-		regexp.MustCompile(`\byum\s+(install|remove)\b`),
-		regexp.MustCompile(`\bdnf\s+(install|remove)\b`),
-		regexp.MustCompile(`\bdocker\s+run\b`),
-		regexp.MustCompile(`\bdocker\s+exec\b`),
-		regexp.MustCompile(`\bgit\s+push\b`),
-		regexp.MustCompile(`\bgit\s+force\b`),
-		regexp.MustCompile(`\bssh\b.*@`),
-		regexp.MustCompile(`\beval\b`),
-		regexp.MustCompile(`\bsource\s+.*\.sh\b`),
+	return NewExecToolWithConfig(workingDir, restrict, nil)
+}
+
+func NewExecToolWithConfig(workingDir string, restrict bool, config *config.Config) *ExecTool {
+	denyPatterns := make([]*regexp.Regexp, 0)
+
+	enableDenyPatterns := true
+	if config != nil {
+		execConfig := config.Tools.Exec
+		enableDenyPatterns = execConfig.EnableDenyPatterns
+		if enableDenyPatterns {
+			if len(execConfig.CustomDenyPatterns) > 0 {
+				fmt.Printf("Using custom deny patterns: %v\n", execConfig.CustomDenyPatterns)
+				for _, pattern := range execConfig.CustomDenyPatterns {
+					re, err := regexp.Compile(pattern)
+					if err != nil {
+						fmt.Printf("Invalid custom deny pattern %q: %v\n", pattern, err)
+						continue
+					}
+					denyPatterns = append(denyPatterns, re)
+				}
+			} else {
+				denyPatterns = append(denyPatterns, defaultDenyPatterns...)
+			}
+		} else {
+			// If deny patterns are disabled, we won't add any patterns, allowing all commands.
+			fmt.Println("Warning: deny patterns are disabled. All commands will be allowed.")
+		}
+	} else {
+		denyPatterns = append(denyPatterns, defaultDenyPatterns...)
 	}

 	return &ExecTool{