Skip to content

fix(policy): accept "shell"/"sh" as aliases for "bash" tool_id in policy rules#1891

Merged
bug-ops merged 3 commits intomainfrom
1877-bug-policy-shell-tool-register
Mar 15, 2026
Merged

fix(policy): accept "shell"/"sh" as aliases for "bash" tool_id in policy rules#1891
bug-ops merged 3 commits intomainfrom
1877-bug-policy-shell-tool-register

Conversation

@bug-ops
Copy link
Owner

@bug-ops bug-ops commented Mar 15, 2026

Summary

  • ShellExecutor registers as tool_id="bash" but users intuitively write tool = "shell" in policy rules, causing silent mismatches — security-critical when default_effect = "allow"
  • Added resolve_tool_alias() in policy.rs mapping "bash"/"sh""shell"
  • Applied in both PolicyEnforcer::compile() (rule tool field) and evaluate() (runtime tool_name) so any combination of names works in both directions

Test plan

  • alias_shell_rule_matches_bash_tool_id — core bug: tool="shell" rule matches tool_id="bash"
  • alias_bash_rule_matches_bash_tool_id — regression: tool="bash" still works
  • alias_sh_rule_matches_bash_tool_idtool="sh" also matches tool_id="bash"
  • alias_unknown_tool_unaffected — unknown tools pass through unchanged
  • Full policy suite: 42/42 pass
  • Full workspace: 5975/5975 pass (--features full)

Closes #1877

@bug-ops
fix(policy): accept "shell"/"sh" as aliases for "bash" tool_id in pol…
96b1b66 
…icy rules

ShellExecutor registers itself as tool_id="bash" but users intuitively
write `tool = "shell"` in policy rules, causing silent mismatches.

Add resolve_tool_alias() in policy.rs and apply it in both compile()
(for rule tool field) and evaluate() (for runtime tool_name), so any
combination of "bash"/"shell"/"sh" works correctly in both directions.

Closes #1877
@github-actions github-actions bot added bug Something isn't working documentation Improvements or additions to documentation rust Rust code changes size/M Medium PR (51-200 lines) and removed bug Something isn't working labels Mar 15, 2026
@github-actions github-actions bot added the bug Something isn't working label Mar 15, 2026
@bug-ops bug-ops enabled auto-merge (squash) March 15, 2026 22:34
@bug-ops bug-ops merged commit b9d8e98 into main Mar 15, 2026
20 checks passed
@bug-ops bug-ops deleted the 1877-bug-policy-shell-tool-register branch March 15, 2026 22:47
bug-ops added a commit that referenced this pull request Mar 15, 2026
@bug-ops
merge: resolve conflict with main (#1891 alias resolution)
e01ea92 
Both test sections coexist: symlink boundary check (this PR) and
tool alias resolution (main).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bug Something isn't working documentation Improvements or additions to documentation rust Rust code changes size/M Medium PR (51-200 lines)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug(policy): shell tool registers as tool_id='bash', not 'shell' — policy rules silently miss

1 participant

@bug-ops