mirror of
https://github.com/sipeed/picoclaw.git
synced 2026-06-12 18:08:54 +00:00
sky5454
cb5d33124c
* fix(powershell): sec deny powershell encoding bypass via iex injection. * fix(exec): security guard bypass fixes for PowerShell/CMD encoding and path traversal - Split deny patterns into defaultDenyPatterns (all platforms) and windowsDenyPatterns (Windows-only) to avoid false positives - Add PowerShell encoding bypass detection: - [Text.Encoding] and [System.Text.Encoding] variants - -EncodedCommand short forms (-e, -ec, -enc) - .GetString([byte[]] with whitespace variations - FromBase64String decoding - PowerShell variable = [byte[](...) patterns - Literal \uXXXX Unicode escape sequences - Expand PowerShell ($env:VAR) and CMD (%VAR%) environment variables before workspace path checking to prevent $env:USERPROFILE bypass - Expand ~ to home directory on Windows - Add .../.../ path traversal variant detection (blocks .../.../, ..../..../) - Add symlink/junction resolution before workspace check - Add Windows path normalization for ADS (file.txt:stream) and extended-length paths (\?\) - Add comprehensive tests for all new patterns Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * fix(exec): fix -EncodedCommand regex and rename Windows tests with expanded payloads - Fix -EncodedCommand regex to match all short forms: -e, -ec, -enc, -en - Rename Windows-specific tests with TestWindows_ prefix for clarity: - TestWindows_TildeBypassPrevented - TestWindows_SymlinkBypassPrevented - TestWindows_PowerShellEncodingBypass - Expand test payloads: - [Text.Encoding]: add UTF8 and Unicode variants - -EncodedCommand: add -enc and -en forms - Unicode escape: add multiple \uXXXX forms Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * ci: retest --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>