-
Notifications
You must be signed in to change notification settings - Fork 43.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add wildcard support for shell deny/allow lists #5145
Add wildcard support for shell deny/allow lists #5145
Conversation
✅ Deploy Preview for auto-gpt-docs canceled.
|
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #5145 +/- ##
==========================================
+ Coverage 45.51% 50.73% +5.22%
==========================================
Files 139 128 -11
Lines 6530 5523 -1007
Branches 917 765 -152
==========================================
- Hits 2972 2802 -170
+ Misses 3408 2508 -900
- Partials 150 213 +63
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
This pull request has conflicts with the base branch, please resolve those so we can evaluate the pull request. |
f1c4ec2
to
71ee24f
Compare
Conflicts have been resolved! 🎉 A maintainer will review the pull request shortly. |
✅ Deploy Preview for auto-gpt-docs canceled.
|
dfa5fad
to
4e4f0bf
Compare
This pull request has conflicts with the base branch, please resolve those so we can evaluate the pull request. |
This Pull Request introduces an enhancement in the mechanism we use to control shell commands. Specifically, in the way we handle the allowlist and denylist of commands in the
config
.The changes are as follows:
A new process is introduced to identify shell commands in both the allowlist (shell_allowlist) and the denylist (shell_denylist) that contains wildcard characters (
*
,[
,]
,?
). These identified commands are placed into two new lists:wildcard_shell_allowlist
andwildcard_shell_denylist
.The new logic first checks if there are any wildcard commands in the allowlist or denylist. If there are:
For allowlist control mechanism, it checks if the given command matches any pattern in the
wildcard_shell_allowlist
. If it does, it returns True, indicating this command is allowed to run. If not, it returns whether the command is in the non-wildcard allowlist.For other mechanisms, it checks if the given command matches any pattern in the
wildcard_shell_denylist
. If it does, it returns False, indicating this command is forbidden. If not, it returns whether the command is not in the non-wildcard denylist.This change aims to improve the flexibility of the shell command control.
For example previously adding
npm start
to deny list would have no effect. Since AG only look at the first part of thecommand
here that would simply benpm
therefore a match would not happen, unlessnpm
itself is banned completelty, which is not desirable for things that do not require use interaction likenpm install
. After this PR you can addnpm start*
to the deny list, it detects the wildcard*
character and it tries to match this item in the deny list against the entirecommand
not just the fist part of it. So if the command werenpm start --abc
it would still be denied.Example denylist in
.env
SHELL_DENYLIST=sudo,su,npm start*
PR Quality Checklist