Centralized AST walker for consistent bash analysis#29
Merged
Conversation
ldayton
force-pushed
the
lily/centralized-ast-walker
branch
from
f402d0b to
f030479
Compare
Replace scattered partial AST traversals with a single recursive walker that analyzes all bash constructs consistently. Key changes: - Add src/dippy/core/analyzer.py with unified analyze() entry point - Remove duplicated traversal code from dippy.py (365 -> 90 lines) - Config rules now reach inside compound commands (if/while/for/case) - Process substitution properly analyzed (was silently allowed!) - Function definitions analyzed (body checked for safety) - Decisions bubble up correctly (deny > ask > allow) - Unknown constructs default to ask (fail-safe) Behavioral improvements: - `deny rm -rf /*` now catches rm inside `if true; then rm -rf /; fi` - `diff <(cat a) >(tee /etc/passwd)` now properly asks (inner cmd analyzed) - Compound commands with safe contents are now approved - Redirect reasons now show target path (more informative) Also: - Add `read` to SIMPLE_SAFE (shell builtin, reads from stdin) - Handle Parable's `time` node type - Strip quotes from word values consistently All 9286 tests pass on Python 3.11-3.14.
- Pass tokens (sans env var prefixes) to handlers instead of words - Add explicit "cmdsub injection risk" warning for pure cmdsubs in handler CLI argument positions - Add regression tests for both issues
ldayton
force-pushed
the
lily/centralized-ast-walker
branch
from
f030479 to
c6376ba
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replace scattered partial AST traversals with a single recursive walker that analyzes all bash constructs consistently.
Problem
The old code had multiple scattered functions that partially traversed the AST:
extract_simple_commandshas_output_redirectget_command_substitutionssplit_pipelinesplit_command_listThis led to inconsistent handling:
>()) was silently allowed without checking inner commandsSolution
New
src/dippy/core/analyzer.pywith a singleanalyze()function that recursively walks the entire AST:Key Improvements
if true; then rm -rf /; fi→ ask "if"deny rm -rf /*diff <(ls) >(tee /etc/passwd)→ allowfoo() { rm -rf /; }→ ask "foo()"echo > file.txt→ "output redirect"Changes
src/dippy/core/analyzer.py(new file, ~350 lines)dippy.pyfrom 617 to 286 linesreadto SIMPLE_SAFE (shell builtin)timenode typeTest Plan
just checkpasses (lint, fmt, lock)