@poolzin/pool-bot 2026.3.21 → 2026.3.23

package/dist/infra/exec-approvals-security.js

@@ -0,0 +1,217 @@
+/**
+ * Exec Approvals Security Hardening
+ *
+ * Security fixes for exec approvals:
+ * - Wrapper detection (env, nice, nohup, bash -c)
+ * - Shell line continuation detection (\\\n)
+ * - Unicode invisible character escaping
+ */
+/**
+ * Known shell wrapper binaries that can be used to bypass approval checks
+ */
+const SHELL_WRAPPERS = new Set([
+    "env",
+    "nice",
+    "nohup",
+    "timeout",
+    "bash",
+    "sh",
+    "zsh",
+    "ksh",
+    "csh",
+    "tcsh",
+    "fish",
+    "dash",
+    "node",
+    "python",
+    "python3",
+    "perl",
+    "ruby",
+    "php",
+    "java",
+    "dotnet",
+    "mono",
+]);
+/**
+ * Unicode invisible/format characters that can be used for spoofing
+ */
+const INVISIBLE_UNICODE_RANGES = [
+    [0x0000, 0x001f], // C0 control characters
+    [0x007f, 0x009f], // Delete and C1 control
+    [0x00ad, 0x00ad], // Soft hyphen
+    [0x0600, 0x0605], // Arabic number signs
+    [0x061c, 0x061c], // Arabic letter mark
+    [0x06dd, 0x06dd], // Ayah
+    [0x070f, 0x070f], // Syriac abbreviation
+    [0x180e, 0x180e], // Mongolian vowel separator
+    [0x200b, 0x200f], // Zero-width chars
+    [0x2028, 0x202e], // Line/paragraph separators
+    [0x2060, 0x206f], // Invisible operators
+    [0xfeff, 0xfeff], // BOM/zero-width no-break space
+    [0xfff0, 0xfff8], // Specials
+    [0xd800, 0xdfff], // Surrogate pairs
+];
+/**
+ * Check if a character is an invisible/format Unicode character
+ */
+function isInvisibleUnicode(code) {
+    for (const [start, end] of INVISIBLE_UNICODE_RANGES) {
+        if (code >= start && code <= end) {
+            return true;
+        }
+    }
+    return false;
+}
+/**
+ * Escape invisible Unicode characters in a string for safe display
+ *
+ * Security: Prevents spoofing of approval prompts via zero-width characters
+ */
+export function escapeInvisibleUnicode(text) {
+    let result = "";
+    for (const char of text) {
+        const code = char.codePointAt(0) ?? 0;
+        if (isInvisibleUnicode(code)) {
+            result += `\\u{${code.toString(16)}}`;
+        }
+        else {
+            result += char;
+        }
+    }
+    return result;
+}
+/**
+ * Detect shell line continuations (backslash-newline sequences)
+ *
+ * Security: Prevents bypass of command-substitution checks via line continuations
+ */
+export function hasShellLineContinuation(command) {
+    // Match backslash followed by newline (with optional carriage return)
+    return /\\\r?\n/.test(command);
+}
+/**
+ * Normalize shell line continuations by joining continued lines
+ *
+ * Security: Ensures continued commands are analyzed as single unit
+ */
+export function normalizeShellLineContinuations(command) {
+    return command.replace(/\\\r?\n/g, " ");
+}
+/**
+ * Detect if command uses a shell wrapper
+ */
+export function detectShellWrapper(command) {
+    const trimmed = command.trim();
+    if (!trimmed) {
+        return null;
+    }
+    // Extract first token (potential wrapper)
+    const firstTokenMatch = trimmed.match(/^(\S+)/);
+    if (!firstTokenMatch) {
+        return null;
+    }
+    const firstToken = firstTokenMatch[1];
+    const basename = firstToken.split("/").pop()?.toLowerCase() ?? "";
+    if (SHELL_WRAPPERS.has(basename)) {
+        return basename;
+    }
+    return null;
+}
+/**
+ * Unwrap shell wrapper to get inner command
+ *
+ * Security: Extract actual executable from wrapper for approval checking
+ */
+export function unwrapShellWrapper(command) {
+    const wrapper = detectShellWrapper(command);
+    if (!wrapper) {
+        return { wrapper: null, innerCommand: command, wasUnwrapped: false };
+    }
+    const trimmed = command.trim();
+    // Handle bash/sh -c "command" pattern
+    if (wrapper === "bash" || wrapper === "sh" || wrapper === "zsh" || wrapper === "ksh") {
+        const match = trimmed.match(/^(?:bash|sh|zsh|ksh)\s+(?:-[a-zA-Z]+\s+)?-c\s+(['"]?)(.+)\1/);
+        if (match) {
+            return { wrapper, innerCommand: match[2], wasUnwrapped: true };
+        }
+    }
+    // Handle env VAR=value command pattern
+    if (wrapper === "env") {
+        const match = trimmed.match(/^env\s+(?:[A-Za-z_][A-Za-z0-9_]*=\S+\s+)*(.+)$/);
+        if (match) {
+            return { wrapper, innerCommand: match[1], wasUnwrapped: true };
+        }
+    }
+    // Handle nice/timeout/nohup -n/command pattern
+    if (wrapper === "nice" || wrapper === "nohup" || wrapper === "timeout") {
+        const match = trimmed.match(/^(?:nice|nohup|timeout)\s+(?:-[a-zA-Z]+\s+\S+\s+|\S+\s+)?(.+)$/);
+        if (match) {
+            return { wrapper, innerCommand: match[1], wasUnwrapped: true };
+        }
+    }
+    // Generic wrapper: just remove first token
+    const parts = trimmed.split(/\s+/);
+    if (parts.length > 1) {
+        return { wrapper, innerCommand: parts.slice(1).join(" "), wasUnwrapped: true };
+    }
+    return { wrapper, innerCommand: command, wasUnwrapped: false };
+}
+/**
+ * Perform comprehensive security analysis on a command
+ *
+ * Security: Detects and normalizes various bypass attempts
+ */
+export function analyzeCommandSecurity(command) {
+    const issues = [];
+    // Check for line continuations
+    const hasLineContinuation = hasShellLineContinuation(command);
+    if (hasLineContinuation) {
+        issues.push("Shell line continuation detected (\\\n)");
+    }
+    // Normalize line continuations
+    const normalizedAfterContinuation = normalizeShellLineContinuations(command);
+    // Check for invisible Unicode
+    const hasInvisibleUnicode = normalizedAfterContinuation !== escapeInvisibleUnicode(normalizedAfterContinuation);
+    if (hasInvisibleUnicode) {
+        issues.push("Invisible Unicode characters detected");
+    }
+    // Escape invisible Unicode
+    const escapedCommand = escapeInvisibleUnicode(normalizedAfterContinuation);
+    // Detect and unwrap wrapper
+    const { wrapper, innerCommand, wasUnwrapped } = unwrapShellWrapper(escapedCommand);
+    if (wrapper) {
+        issues.push(`Shell wrapper detected: ${wrapper}`);
+    }
+    return {
+        originalCommand: command,
+        normalizedCommand: wasUnwrapped ? innerCommand : escapedCommand,
+        hasLineContinuation,
+        hasInvisibleUnicode,
+        escapedCommand,
+        wrapper,
+        unwrappedCommand: innerCommand,
+        wasUnwrapped,
+        securityIssues: issues,
+    };
+}
+/**
+ * Validate command for security issues before approval
+ *
+ * Returns null if command is safe, or error message if issues found
+ */
+export function validateCommandSecurity(command) {
+    const analysis = analyzeCommandSecurity(command);
+    // Fail closed on line continuations that can't be resolved
+    if (analysis.hasLineContinuation) {
+        return "Command contains shell line continuations (\\\n) which are not allowed for security reasons";
+    }
+    // Fail closed on invisible Unicode
+    if (analysis.hasInvisibleUnicode) {
+        return "Command contains invisible Unicode characters which are not allowed for security reasons";
+    }
+    // For wrappers, ensure we can resolve the inner command
+    if (analysis.wrapper && !analysis.wasUnwrapped) {
+        return `Unable to unwrap shell wrapper (${analysis.wrapper}) for security validation`;
+    }
+    return null;
+}

package/dist/infra/security/command-analyzer.js

@@ -0,0 +1,257 @@
+/**
+ * Command Analysis System
+ *
+ * Analyzes commands for security risks including:
+ * - Shell wrapper detection (sh -c, bash -c, etc.)
+ * - Dangerous command patterns (rm -rf, dd, etc.)
+ * - PATH traversal attempts
+ * - Command injection via arguments
+ */
+export class CommandAnalyzer {
+    SHELL_WRAPPERS = [
+        /^sh\s+-c\s+/i,
+        /^bash\s+-c\s+/i,
+        /^cmd\.exe\s+\/c\s+/i,
+        /^cmd\s+\/c\s+/i,
+        /^powershell\s+-c\s+/i,
+        /^powershell\.exe\s+-c\s+/i,
+        /^zsh\s+-c\s+/i,
+        /^ksh\s+-c\s+/i,
+        /^csh\s+-c\s+/i,
+        /^fish\s+-c\s+/i,
+    ];
+    DANGEROUS_COMMANDS = [
+        // Destructive file operations
+        { pattern: /rm\s+(-[rf]+\s+)+/i, reason: "Recursive/force delete", level: "critical" },
+        { pattern: /rm\s+-rf/i, reason: "Recursive force delete", level: "critical" },
+        {
+            pattern: /del\s+\/(f|q|s)/i,
+            reason: "Windows delete with force/quiet",
+            level: "critical",
+        },
+        { pattern: /format\s+/i, reason: "Disk format", level: "critical" },
+        { pattern: /mkfs/i, reason: "Create filesystem", level: "critical" },
+        { pattern: /dd\s+/i, reason: "Disk dump/clone", level: "critical" },
+        { pattern: /cipher\s+\/w/i, reason: "Windows secure delete", level: "critical" },
+        // Permission changes
+        { pattern: /chmod\s+777/i, reason: "World-writable permissions", level: "high" },
+        { pattern: /chmod\s+\+s/i, reason: "Setuid/setgid bit", level: "high" },
+        { pattern: /chown\s+root/i, reason: "Change owner to root", level: "high" },
+        { pattern: /icacls\s+.*\/grant/i, reason: "Windows ACL modification", level: "high" },
+        // Privilege escalation
+        { pattern: /sudo\s+/i, reason: "Sudo execution", level: "high" },
+        { pattern: /su\s+-/i, reason: "Su to root", level: "high" },
+        { pattern: /runas\s+/i, reason: "Windows runas", level: "high" },
+        { pattern: /pkexec\s+/i, reason: "Polkit execution", level: "high" },
+        // Remote code execution
+        {
+            pattern: /curl.*\|\s*(sh|bash|zsh)/i,
+            reason: "Curl pipe to shell",
+            level: "critical",
+        },
+        {
+            pattern: /wget.*\|\s*(sh|bash|zsh)/i,
+            reason: "Wget pipe to shell",
+            level: "critical",
+        },
+        {
+            pattern: /curl.*>\s*\/dev\/.*\|\s*(sh|bash)/i,
+            reason: "Curl to device pipe",
+            level: "critical",
+        },
+        // Process manipulation
+        { pattern: /kill\s+-9/i, reason: "Force kill", level: "medium" },
+        { pattern: /pkill\s+-9/i, reason: "Force kill by name", level: "medium" },
+        { pattern: /taskkill\s+\/f/i, reason: "Windows force kill", level: "medium" },
+        // Network operations
+        { pattern: /nc\s+-[le]/i, reason: "Netcat listener", level: "high" },
+        { pattern: /netcat\s+-[le]/i, reason: "Netcat listener", level: "high" },
+        { pattern: /socat\s+/i, reason: "Socket cat", level: "medium" },
+        // System modifications
+        { pattern: /mount\s+/i, reason: "Mount filesystem", level: "high" },
+        { pattern: /umount\s+/i, reason: "Unmount filesystem", level: "medium" },
+        { pattern: /fdisk\s+/i, reason: "Partition manipulation", level: "critical" },
+        { pattern: /parted\s+/i, reason: "Partition manipulation", level: "critical" },
+        // Credential access
+        { pattern: /cat\s+.*passwd/i, reason: "Read password file", level: "high" },
+        { pattern: /cat\s+.*shadow/i, reason: "Read shadow file", level: "critical" },
+        { pattern: /cat\s+.*\.ssh\//i, reason: "Read SSH keys", level: "high" },
+        {
+            pattern: /reg\s+query.*password/i,
+            reason: "Windows registry password query",
+            level: "high",
+        },
+    ];
+    INJECTION_PATTERNS = [
+        /\$\(/, // Command substitution
+        /`[^`]+`/, // Backtick command substitution
+        /\|/, // Pipe
+        /;/, // Command separator
+        /&&/, // AND operator
+        /\|\|/, // OR operator
+        />/, // Redirect
+        /</, // Input redirect
+        /\$/, // Variable expansion
+        /\\\\n/, // Newline injection
+        /\\\\r/, // Carriage return injection
+        /\\\\x00/, // Null byte
+        /\\\\0/, // Null byte alternate
+    ];
+    /**
+     * Analyze a command for security risks
+     */
+    analyze(command, args = []) {
+        const fullCommand = [command, ...args].join(" ");
+        const warnings = [];
+        // Check for shell wrappers
+        const wrapperMatch = this.SHELL_WRAPPERS.some((re) => re.test(fullCommand));
+        if (wrapperMatch) {
+            return {
+                isShellWrapper: true,
+                baseCommand: command,
+                actualCommand: fullCommand.replace(/^(sh|bash|cmd\.exe|cmd|powershell|powershell\.exe|zsh|ksh|csh|fish)\s+-c\s+/i, ""),
+                riskLevel: "high",
+                requiresApproval: true,
+                warnings: ["Shell wrapper detected - command will be executed by intermediate shell"],
+                blockedReason: undefined,
+            };
+        }
+        // Check for dangerous commands
+        for (const { pattern, reason, level } of this.DANGEROUS_COMMANDS) {
+            if (pattern.test(fullCommand)) {
+                return {
+                    isShellWrapper: false,
+                    baseCommand: command,
+                    actualCommand: fullCommand,
+                    riskLevel: level,
+                    requiresApproval: true,
+                    warnings: [`Dangerous pattern: ${reason}`],
+                    blockedReason: level === "critical" ? `Blocked: ${reason}` : undefined,
+                };
+            }
+        }
+        // Check for injection patterns in arguments
+        for (const arg of args) {
+            for (const pattern of this.INJECTION_PATTERNS) {
+                if (pattern.test(arg)) {
+                    warnings.push(`Potential injection in argument: ${arg.substring(0, 50)}`);
+                }
+            }
+        }
+        // Check for PATH traversal
+        if (command.includes("..") || command.startsWith("/")) {
+            warnings.push("PATH traversal detected");
+        }
+        // Determine risk level based on warnings
+        let riskLevel = "low";
+        if (warnings.length >= 3) {
+            riskLevel = "high";
+        }
+        else if (warnings.length >= 1) {
+            riskLevel = "medium";
+        }
+        return {
+            isShellWrapper: false,
+            baseCommand: command,
+            actualCommand: fullCommand,
+            riskLevel,
+            requiresApproval: riskLevel !== "low" || warnings.length > 0,
+            warnings,
+            blockedReason: undefined,
+        };
+    }
+    /**
+     * Check if command is a shell wrapper
+     */
+    isShellWrapper(command, args) {
+        const fullCommand = [command, ...args].join(" ");
+        return this.SHELL_WRAPPERS.some((re) => re.test(fullCommand));
+    }
+    /**
+     * Extract actual command from shell wrapper
+     */
+    extractActualCommand(command, args) {
+        const fullCommand = [command, ...args].join(" ");
+        return fullCommand.replace(/^(sh|bash|cmd\.exe|cmd|powershell|powershell\.exe|zsh|ksh|csh|fish)\s+-c\s+/i, "");
+    }
+    /**
+     * Validate arguments for injection attempts
+     */
+    validateArguments(args) {
+        const issues = [];
+        for (let i = 0; i < args.length; i++) {
+            const arg = args[i];
+            // Check for control characters
+            if (/[\n\r\t]/.test(arg) || arg.includes("\0")) {
+                issues.push(`Argument ${i} contains control characters`);
+            }
+            // Check for command substitution
+            if (/\$\(|`/.test(arg)) {
+                issues.push(`Argument ${i} contains command substitution`);
+            }
+            // Check for excessive length
+            if (arg.length > 10000) {
+                issues.push(`Argument ${i} exceeds length limit (${arg.length} chars)`);
+            }
+        }
+        return {
+            valid: issues.length === 0,
+            issues,
+        };
+    }
+}
+/**
+ * Path Sanitization Utilities
+ */
+export class PathSanitizer {
+    workspaceRoot;
+    constructor(workspaceRoot) {
+        this.workspaceRoot = require("path").resolve(workspaceRoot);
+    }
+    /**
+     * Sanitize a path to prevent directory traversal
+     */
+    sanitize(inputPath) {
+        const path = require("path");
+        // Resolve to absolute path
+        const resolved = path.resolve(inputPath);
+        // Check for path traversal
+        if (!resolved.startsWith(this.workspaceRoot)) {
+            throw new SecurityError(`Path ${inputPath} resolves to ${resolved}, which is outside workspace ${this.workspaceRoot}`);
+        }
+        // Normalize and remove redundant separators
+        const normalized = path.normalize(resolved);
+        // Check for null bytes
+        if (normalized.includes("\0")) {
+            throw new SecurityError("Path contains null byte");
+        }
+        return normalized;
+    }
+    /**
+     * Sanitize multiple arguments that might be paths
+     */
+    sanitizeArguments(args) {
+        return args.map((arg) => {
+            // Skip if not a path-like argument
+            if (!arg.startsWith("/") && !arg.startsWith("./") && !arg.startsWith("../")) {
+                return arg;
+            }
+            try {
+                return this.sanitize(arg);
+            }
+            catch {
+                // Return original if sanitization fails (will be caught by command analyzer)
+                return arg;
+            }
+        });
+    }
+}
+/**
+ * Custom error for security violations
+ */
+export class SecurityError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "SecurityError";
+    }
+}

package/dist/plugins/loader.js

@@ -191,23 +191,21 @@ function isTrackedByProvenance(params) {
     }
     return matchesPathMatcher(params.index.loadPathMatcher, sourcePath);
 }
-function warnWhenAllowlistIsOpen(params) {
-    if (!params.pluginsEnabled) {
-        return;
-    }
+function failClosedWhenAllowlistIsEmpty(params) {
     if (params.allow.length > 0) {
-        return;
+        return false;
     }
     const nonBundled = params.discoverablePlugins.filter((entry) => entry.origin !== "bundled");
     if (nonBundled.length === 0) {
-        return;
+        return false;
     }
     const preview = nonBundled
         .slice(0, 6)
         .map((entry) => `${entry.id} (${entry.source})`)
         .join(", ");
     const extra = nonBundled.length > 6 ? ` (+${nonBundled.length - 6} more)` : "";
-    params.logger.warn(`[plugins] plugins.allow is empty; discovered non-bundled plugins may auto-load: ${preview}${extra}. Set plugins.allow to explicit trusted ids.`);
+    params.logger.error(`[plugins] SECURITY: plugins.allow is empty; refusing to auto-load discovered non-bundled plugins: ${preview}${extra}. Set plugins.allow to explicit trusted ids to enable plugins.`);
+    return true;
 }
 function warnAboutUntrackedLoadedPlugins(params) {
     for (const plugin of params.registry.plugins) {
@@ -270,7 +268,7 @@ export function loadPoolBotPlugins(options = {}) {
         diagnostics: discovery.diagnostics,
     });
     pushDiagnostics(registry.diagnostics, manifestRegistry.diagnostics);
-    warnWhenAllowlistIsOpen({
+    const shouldFailClosed = failClosedWhenAllowlistIsEmpty({
         logger,
         pluginsEnabled: normalized.enabled,
         allow: normalized.allow,
@@ -280,6 +278,16 @@ export function loadPoolBotPlugins(options = {}) {
             origin: plugin.origin,
         })),
     });
+    if (shouldFailClosed) {
+        logger.error("[plugins] SECURITY: refusing to load plugins without explicit consent via plugins.allow");
+        const emptyRegistry = createPluginRegistry({
+            logger,
+            runtime,
+            coreGatewayHandlers: options.coreGatewayHandlers,
+        }).registry;
+        setActivePluginRegistry(emptyRegistry, cacheKey);
+        return emptyRegistry;
+    }
     const provenance = buildProvenanceIndex({
         config: cfg,
         normalizedLoadPaths: normalized.loadPaths,

package/dist/security/external-content.js

@@ -7,6 +7,11 @@ import { randomBytes } from "node:crypto";
  *
  * SECURITY: External content should NEVER be directly interpolated into
  * system prompts or treated as trusted instructions.
+ *
+ * SECURITY HARDENING (GHSA-external-content-markers):
+ * - Zero-width character stripping from boundary markers
+ * - Soft-hyphen character removal
+ * - Unicode format character escaping
  */
 /**
  * Patterns that may indicate prompt injection attempts.
@@ -110,8 +115,53 @@ function foldMarkerChar(char) {
     }
     return char;
 }
+/**
+ * Unicode invisible/format characters that can be used for spoofing boundary markers.
+ * GHSA-external-content-markers: Strip these to prevent marker bypass attacks.
+ */
+const INVISIBLE_UNICODE_RANGES = [
+    [0x0000, 0x001f], // C0 control characters
+    [0x007f, 0x009f], // Delete and C1 control
+    [0x00ad, 0x00ad], // Soft hyphen
+    [0x0600, 0x0605], // Arabic number signs
+    [0x061c, 0x061c], // Arabic letter mark
+    [0x06dd, 0x06dd], // Ayah
+    [0x070f, 0x070f], // Syriac abbreviation
+    [0x180e, 0x180e], // Mongolian vowel separator
+    [0x200b, 0x200f], // Zero-width chars
+    [0x2028, 0x202e], // Line/paragraph separators
+    [0x2060, 0x206f], // Invisible operators
+    [0xfeff, 0xfeff], // BOM/zero-width no-break space
+    [0xfff0, 0xfff8], // Specials
+    [0xd800, 0xdfff], // Surrogate pairs
+];
+/**
+ * Strip invisible Unicode characters from content.
+ *
+ * SECURITY: Prevents spoofing of boundary markers via zero-width characters.
+ * GHSA-external-content-markers
+ */
+function stripInvisibleUnicode(text) {
+    let result = "";
+    for (const char of text) {
+        const code = char.codePointAt(0) ?? 0;
+        let isInvisible = false;
+        for (const [start, end] of INVISIBLE_UNICODE_RANGES) {
+            if (code >= start && code <= end) {
+                isInvisible = true;
+                break;
+            }
+        }
+        if (!isInvisible) {
+            result += char;
+        }
+    }
+    return result;
+}
 function foldMarkerText(input) {
-    return input.replace(/[\uFF21-\uFF3A\uFF41-\uFF5A\uFF1C\uFF1E\u2329\u232A\u3008\u3009\u2039\u203A\u27E8\u27E9\uFE64\uFE65]/g, (char) => foldMarkerChar(char));
+    // SECURITY HARDENING: Strip invisible Unicode before folding
+    const stripped = stripInvisibleUnicode(input);
+    return stripped.replace(/[\uFF21-\uFF3A\uFF41-\uFF5A\uFF1C\uFF1E\u2329\u232A\u3008\u3009\u2039\u203A\u27E8\u27E9\uFE64\uFE65]/g, (char) => foldMarkerChar(char));
 }
 function replaceMarkers(content) {
     const folded = foldMarkerText(content);