@raolin2025/claude-code-node 1.0.0

package/src/security/bash-guard.js

@@ -0,0 +1,279 @@
+/**
+ * BashTool 命令安全检查
+ * 对应原版: src/tools/BashTool/bashSecurity.ts (2592行简化版)
+ *
+ * 防护:
+ * 1. 危险命令模式检测（rm -rf /、dd、mkfs 等）
+ * 2. cd + git 组合攻击（裸仓库 fsmonitor 绕过）
+ * 3. 管道注入（跨段 cd+git）
+ * 4. 反引号/命令替换注入
+ * 5. 网络数据外泄（curl/wget 到可疑地址）
+ * 6. 敏感文件访问（/etc/shadow、SSH 密钥）
+ */
+
+/**
+ * 危险命令模式列表
+ * 每个模式: { pattern, reason, severity }
+ * severity: 'critical' = 直接拒绝, 'high' = 需要确认, 'medium' = 提示
+ */
+const DANGEROUS_PATTERNS = [
+  // === 破坏性操作 ===
+  {
+    pattern: /\brm\s+(-[a-zA-Z]*f[a-zA-Z]*\s+)?(-[a-zA-Z]*r[a-zA-Z]*\s+)?\/\s*$/,
+    reason: '递归删除根目录',
+    severity: 'critical',
+  },
+  {
+    pattern: /\brm\s+.*-[a-zA-Z]*r[a-zA-Z]*f[a-zA-Z]*.*\s\/[a-zA-Z]*/,
+    reason: '递归强制删除系统目录',
+    severity: 'critical',
+  },
+  {
+    pattern: /\bdd\s+if=.*of=\/dev\//,
+    reason: 'dd 写入设备文件',
+    severity: 'critical',
+  },
+  {
+    pattern: /\bmkfs\b/,
+    reason: '格式化文件系统',
+    severity: 'critical',
+  },
+  {
+    pattern: /\bformat\s+[A-Z]:/i,
+    reason: 'Windows 格式化磁盘',
+    severity: 'critical',
+  },
+  {
+    pattern: /:\(\)\{\s*:\|\:&\s*\}\s*;/,
+    reason: 'Fork bomb（fork 炸弹）',
+    severity: 'critical',
+  },
+  {
+    pattern: />\s*\/dev\/sda/,
+    reason: '直接写入块设备',
+    severity: 'critical',
+  },
+  {
+    pattern: /\bchmod\s+([0-7]{3,4}|[ugo]*[+-][rwx].*)\s+\/(etc|boot|usr)\b/,
+    reason: '修改系统目录权限',
+    severity: 'critical',
+  },
+
+  // === 敏感文件访问 ===
+  {
+    pattern: /\/etc\/(shadow|passwd|sudoers|ssh\/sshd_config)\b/,
+    reason: '访问敏感系统文件',
+    severity: 'high',
+  },
+  {
+    pattern: /~\/\.ssh\/(id_[a-z]+|authorized_keys|config)\b/,
+    reason: '访问 SSH 私钥/配置',
+    severity: 'high',
+  },
+  {
+    pattern: /\bcat\b.*\/etc\/shadow/,
+    reason: '读取 shadow 密码文件',
+    severity: 'critical',
+  },
+
+  // === 网络数据外泄 ===
+  {
+    pattern: /\bcurl\b.*\|\s*(bash|sh|zsh|fish)\b/,
+    reason: '从网络下载并执行脚本（curl | bash）',
+    severity: 'critical',
+  },
+  {
+    pattern: /\bwget\b.*\|\s*(bash|sh|zsh|fish)\b/,
+    reason: '从网络下载并执行脚本（wget | sh）',
+    severity: 'critical',
+  },
+  {
+    pattern: /\b(iex|Invoke-Expression)\b.*\b(Invoke-WebRequest|iwr|New-Object.*WebClient)\b/i,
+    reason: 'PowerShell 下载并执行',
+    severity: 'critical',
+  },
+  {
+    pattern: /\bpython[23]?\s+-c\s+.*import\s+(urllib|requests|http\.client|socket)/,
+    reason: 'Python 内联网络请求',
+    severity: 'high',
+  },
+
+  // === 提权/权限逃逸 ===
+  {
+    pattern: /\bsudo\s+su\b/,
+    reason: '切换到 root 用户',
+    severity: 'high',
+  },
+  {
+    pattern: /\bsudo\s+chmod\s+[0-7]{3,4}\s+\/(etc|usr|boot)\b/,
+    reason: 'sudo 修改系统目录权限',
+    severity: 'critical',
+  },
+  {
+    pattern: /\bpkexec\b/,
+    reason: 'PolicyKit 提权',
+    severity: 'high',
+  },
+
+  // === 容器/云逃逸 ===
+  {
+    pattern: /\bnsenter\b.*--target\s+1\b/,
+    reason: '容器 namespace 逃逸到 PID 1',
+    severity: 'critical',
+  },
+  {
+    pattern: /\/proc\/sys\/kernel\/core_pattern/,
+    reason: '修改 core_pattern（容器逃逸技术）',
+    severity: 'critical',
+  },
+  {
+    pattern: /\bdocker\s+(run|exec).*--privileged/,
+    reason: '启动特权容器',
+    severity: 'high',
+  },
+]
+
+/**
+ * 分段分析 — 检查跨管道段的 cd+git 组合
+ */
+function checkCrossSegmentCdGit(segments) {
+  let hasCd = false
+  let hasGit = false
+
+  for (const segment of segments) {
+    const trimmed = segment.trim()
+    // cd 检测
+    if (/^\bcd\s+/.test(trimmed) || /\&\&\s*cd\s+/.test(trimmed) || /\|\s*cd\s+/.test(trimmed)) {
+      hasCd = true
+    }
+    // git 检测
+    if (/\bgit\s+/.test(trimmed)) {
+      hasGit = true
+    }
+  }
+
+  if (hasCd && hasGit) {
+    return {
+      blocked: true,
+      reason: 'cd + git 组合命令：可能利用裸仓库 fsmonitor 绕过安全检查',
+    }
+  }
+
+  return { blocked: false }
+}
+
+/**
+ * 多 cd 命令检测 — 一个命令中多次 cd 容易混淆
+ */
+function checkMultipleCd(segments) {
+  let cdCount = 0
+  for (const segment of segments) {
+    const subCommands = segment.split(/\s*&&\s*|\s*;\s*/)
+    for (const sub of subCommands) {
+      if (/^\bcd\s+/.test(sub.trim())) cdCount++
+    }
+  }
+  if (cdCount > 1) {
+    return {
+      blocked: true,
+      reason: `一条命令中包含 ${cdCount} 次 cd，需要确认以避免混淆`,
+    }
+  }
+  return { blocked: false }
+}
+
+/**
+ * 分割复合命令为管道段
+ */
+function splitPipeSegments(command) {
+  // 简单分割 — 不处理引号内的 |
+  return command.split(/\s*\|\s*/).filter(s => s.trim())
+}
+
+/**
+ * 主安全检查入口
+ * @param {string} command — 要执行的 bash 命令
+ * @returns {{allowed: boolean, severity: string, reasons: string[]}}
+ */
+export function checkBashSafety(command) {
+  const reasons = []
+  let maxSeverity = 'none'
+
+  // 1. 危险模式匹配
+  for (const { pattern, reason, severity } of DANGEROUS_PATTERNS) {
+    if (pattern.test(command)) {
+      reasons.push(`[${severity.toUpperCase()}] ${reason}`)
+      if (severity === 'critical' || (severity === 'high' && maxSeverity !== 'critical')) {
+        maxSeverity = severity
+      }
+    }
+  }
+
+  // 2. 管道段分析
+  const segments = splitPipeSegments(command)
+
+  if (segments.length > 1) {
+    // 跨段 cd+git 检查
+    const cdGit = checkCrossSegmentCdGit(segments)
+    if (cdGit.blocked) {
+      reasons.push(`[HIGH] ${cdGit.reason}`)
+      if (maxSeverity !== 'critical') maxSeverity = 'high'
+    }
+  }
+
+  // 3. 多 cd 检测
+  const multiCd = checkMultipleCd(segments)
+  if (multiCd.blocked) {
+    reasons.push(`[MEDIUM] ${multiCd.reason}`)
+    if (maxSeverity === 'none') maxSeverity = 'medium'
+  }
+
+  // 4. 网络外泄检查 — curl/wget 到私有 IP
+  const netMatch = command.match(/\b(curl|wget)\s+.*?(https?:\/\/[^\s&|;]+)/g)
+  if (netMatch) {
+    for (const match of netMatch) {
+      const urlMatch = match.match(/(https?:\/\/[^\s&|;]+)/)
+      if (urlMatch) {
+        try {
+          const hostname = new URL(urlMatch[1]).hostname
+          // 简单的内网域名检查
+          if (/^(10\.|172\.(1[6-9]|2\d|3[01])\.|192\.168\.|169\.254\.|100\.(6[4-9]|[7-9]\d|1[01]\d|12[0-7])\.)/.test(hostname)) {
+            reasons.push(`[CRITICAL] curl/wget 到内网地址 ${hostname}，疑似数据外泄`)
+            maxSeverity = 'critical'
+          }
+        } catch { /* 无效 URL 忽略 */ }
+      }
+    }
+  }
+
+  // 5. 重定向到敏感位置
+  if (/>>?\s*\/(etc|boot|usr)\//.test(command)) {
+    reasons.push('[CRITICAL] 输出重定向到系统目录')
+    maxSeverity = 'critical'
+  }
+
+  return {
+    allowed: maxSeverity !== 'critical',
+    severity: maxSeverity,
+    reasons,
+  }
+}
+
+/**
+ * 格式化安全检查结果
+ */
+export function formatSafetyReport(result) {
+  if (result.allowed && result.reasons.length === 0) {
+    return '✅ 命令安全检查通过'
+  }
+
+  const lines = result.allowed
+    ? ['⚠️ 命令安全检查发现注意事项：']
+    : ['🚫 命令被安全策略阻止：']
+
+  for (const reason of result.reasons) {
+    lines.push(`  ${reason}`)
+  }
+
+  return lines.join('\n')
+}

package/src/security/enhanced-permission.js

@@ -0,0 +1,310 @@
+/**
+ * 权限系统增强版 — 规则持久化 + 审计日志
+ * 对应原版: src/hooks/toolPermission/ + src/utils/permissions/
+ */
+import { readFile, writeFile, mkdir } from 'fs/promises'
+import { resolve, join } from 'path'
+import { checkBashSafety } from './bash-guard.js'
+import { checkPathSafety, checkWritePathSafety } from './path-guard.js'
+import { checkUrlSafety } from './ssrf-guard.js'
+
+const PERMISSIONS_FILE = '.claude-code/permissions.json'
+const AUDIT_LOG_FILE = '.claude-code/audit.log'
+
+/**
+ * 权限决策类型
+ */
+export const PermissionDecision = {
+  ALLOW: 'allow',
+  DENY: 'deny',
+  ASK: 'ask',
+}
+
+/**
+ * 工具权限规则
+ */
+export class PermissionRule {
+  constructor({ tool, pattern, decision, reason, expiresAt = null }) {
+    this.tool = tool          // 工具名或 '*'（所有工具）
+    this.pattern = pattern    // 匹配模式（glob 或 regex 字符串）
+    this.decision = decision  // allow / deny / ask
+    this.reason = reason      // 规则原因
+    this.createdAt = Date.now()
+    this.expiresAt = expiresAt // 过期时间（会话级规则）
+  }
+
+  /** 检查规则是否已过期 */
+  get isExpired() {
+    return this.expiresAt && Date.now() > this.expiresAt
+  }
+
+  /** 检查输入是否匹配此规则 */
+  matches(input) {
+    if (this.isExpired) return false
+
+    // 简单 glob 匹配
+    const pattern = this.pattern
+    if (pattern === '*') return true
+
+    // 路径模式
+    if (typeof input === 'string' && input.includes('/')) {
+      return this._globMatch(pattern, input)
+    }
+
+    // 命令模式
+    if (typeof input === 'string') {
+      return input.startsWith(pattern) || this._globMatch(pattern, input)
+    }
+
+    return false
+  }
+
+  _globMatch(pattern, str) {
+    const regex = pattern
+      .replace(/[.+^${}()|[\]\\]/g, '\\$&')
+      .replace(/\*/g, '.*')
+      .replace(/\?/g, '.')
+    return new RegExp(`^${regex}$`).test(str)
+  }
+}
+
+/**
+ * 增强版权限检查器
+ */
+export class EnhancedPermissionChecker {
+  constructor(mode = 'ask', options = {}) {
+    this.mode = mode
+    this.rules = []            // PermissionRule 列表
+    this.auditLog = []         // 审计日志
+    this.cwd = options.cwd || process.cwd()
+    this.projectDir = options.projectDir || process.cwd()
+    this._maxAuditEntries = 1000
+  }
+
+  /** 添加规则 */
+  addRule(rule) {
+    this.rules.push(new PermissionRule(rule))
+    return this
+  }
+
+  /** 移除过期规则 */
+  cleanupRules() {
+    this.rules = this.rules.filter(r => !r.isExpired)
+  }
+
+  /** 添加会话级允许规则（当前会话有效） */
+  allowForSession(tool, pattern = '*') {
+    return this.addRule({
+      tool,
+      pattern,
+      decision: PermissionDecision.ALLOW,
+      reason: '用户会话级授权',
+      expiresAt: null, // 会话级不过期，但可以手动清除
+    })
+  }
+
+  /** 添加永久拒绝规则 */
+  deny(tool, pattern = '*', reason = '') {
+    return this.addRule({
+      tool,
+      pattern,
+      decision: PermissionDecision.DENY,
+      reason,
+    })
+  }
+
+  /**
+   * 综合权限检查
+   * @param {string} toolName — 工具名
+   * @param {object} input — 工具输入参数
+   * @returns {Promise<{allowed: boolean, reason?: string, securityCheck?: object}>}
+   */
+  async check(toolName, input = {}) {
+    // 1. 模式级检查
+    if (this.mode === 'deny') {
+      this._log(toolName, input, false, '全局拒绝模式')
+      return { allowed: false, reason: '全局拒绝模式' }
+    }
+    if (this.mode === 'always-allow') {
+      const securityResult = await this._securityCheck(toolName, input)
+      if (!securityResult.safe) {
+        this._log(toolName, input, false, securityResult.reason)
+        return { allowed: false, reason: securityResult.reason, securityCheck: securityResult }
+      }
+      this._log(toolName, input, true, '全局允许模式')
+      return { allowed: true }
+    }
+
+    // 2. 规则匹配
+    this.cleanupRules()
+    for (const rule of this.rules) {
+      if (rule.tool === toolName || rule.tool === '*') {
+        if (rule.matches(this._extractPattern(toolName, input))) {
+          if (rule.decision === PermissionDecision.DENY) {
+            this._log(toolName, input, false, `规则拒绝: ${rule.reason}`)
+            return { allowed: false, reason: rule.reason }
+          }
+          if (rule.decision === PermissionDecision.ALLOW) {
+            // 即使规则允许，也要过安全检查
+            const securityResult = await this._securityCheck(toolName, input)
+            if (!securityResult.safe) {
+              this._log(toolName, input, false, securityResult.reason)
+              return { allowed: false, reason: securityResult.reason, securityCheck: securityResult }
+            }
+            this._log(toolName, input, true, `规则允许: ${rule.reason}`)
+            return { allowed: true }
+          }
+        }
+      }
+    }
+
+    // 3. 安全检查（在 ask 之前）
+    const securityResult = await this._securityCheck(toolName, input)
+    if (!securityResult.safe) {
+      this._log(toolName, input, false, securityResult.reason)
+      return { allowed: false, reason: securityResult.reason, securityCheck: securityResult }
+    }
+
+    // 4. ask 模式 — 需要用户确认
+    this._log(toolName, input, true, 'ask 模式 — 等待用户确认')
+    return {
+      allowed: true, // 简化版直接允许（完整版应弹出确认对话框）
+      securityCheck: securityResult,
+    }
+  }
+
+  /**
+   * 内部安全检查 — 工具特定的安全逻辑
+   */
+  async _securityCheck(toolName, input) {
+    switch (toolName) {
+      case 'Bash': {
+        const command = input.command || ''
+        if (!command) return { safe: true }
+        const result = checkBashSafety(command)
+        return {
+          safe: result.allowed,
+          reason: result.reasons.length > 0 ? result.reasons.join('; ') : undefined,
+          detail: result,
+        }
+      }
+
+      case 'Read': {
+        const filePath = input.file_path || ''
+        if (!filePath) return { safe: true }
+        const result = checkPathSafety(filePath, { cwd: this.cwd })
+        return {
+          safe: result.safe,
+          reason: result.reasons.length > 0 ? result.reasons.join('; ') : undefined,
+          detail: result,
+        }
+      }
+
+      case 'Edit':
+      case 'Write': {
+        const filePath = input.file_path || ''
+        if (!filePath) return { safe: true }
+        const checker = toolName === 'Write' ? checkWritePathSafety : checkPathSafety
+        const result = checker(filePath, { cwd: this.cwd })
+        return {
+          safe: result.safe,
+          reason: result.reasons.length > 0 ? result.reasons.join('; ') : undefined,
+          detail: result,
+        }
+      }
+
+      case 'WebFetch': {
+        const url = input.url || ''
+        if (!url) return { safe: true }
+        const result = await checkUrlSafety(url)
+        return {
+          safe: result.allowed,
+          reason: result.reason,
+        }
+      }
+
+      default:
+        return { safe: true }
+    }
+  }
+
+  /** 提取规则匹配用的模式字符串 */
+  _extractPattern(toolName, input) {
+    switch (toolName) {
+      case 'Bash': return input.command || ''
+      case 'Read':
+      case 'Edit':
+      case 'Write': return input.file_path || ''
+      case 'Glob':
+      case 'Grep': return input.path || input.pattern || ''
+      case 'WebFetch':
+      case 'WebSearch': return input.url || input.query || ''
+      default: return JSON.stringify(input)
+    }
+  }
+
+  /** 审计日志记录 */
+  _log(toolName, input, allowed, reason) {
+    this.auditLog.push({
+      timestamp: new Date().toISOString(),
+      tool: toolName,
+      inputSnippet: JSON.stringify(input).slice(0, 200),
+      allowed,
+      reason,
+    })
+
+    // 限制审计日志大小
+    if (this.auditLog.length > this._maxAuditEntries) {
+      this.auditLog = this.auditLog.slice(-this._maxAuditEntries)
+    }
+  }
+
+  /** 保存权限规则到文件 */
+  async saveRules() {
+    const dir = join(this.projectDir, '.claude-code')
+    await mkdir(dir, { recursive: true })
+    const data = this.rules
+      .filter(r => !r.isExpired && !r.expiresAt) // 只保存永久规则
+      .map(r => ({
+        tool: r.tool,
+        pattern: r.pattern,
+        decision: r.decision,
+        reason: r.reason,
+      }))
+    await writeFile(join(dir, 'permissions.json'), JSON.stringify(data, null, 2), 'utf-8')
+  }
+
+  /** 加载权限规则 */
+  async loadRules() {
+    try {
+      const raw = await readFile(join(this.projectDir, PERMISSIONS_FILE), 'utf-8')
+      const data = JSON.parse(raw)
+      for (const rule of data) {
+        this.addRule(rule)
+      }
+    } catch {
+      // 文件不存在 — 使用默认规则
+    }
+  }
+
+  /** 保存审计日志 */
+  async saveAuditLog() {
+    const dir = join(this.projectDir, '.claude-code')
+    await mkdir(dir, { recursive: true })
+    const lines = this.auditLog.map(e =>
+      `${e.timestamp} | ${e.tool} | ${e.allowed ? 'ALLOW' : 'DENY'} | ${e.reason} | ${e.inputSnippet}`
+    ).join('\n')
+    await writeFile(join(dir, 'audit.log'), lines, 'utf-8')
+  }
+
+  /** 获取审计摘要 */
+  getAuditSummary() {
+    const summary = { total: this.auditLog.length, allowed: 0, denied: 0, byTool: {} }
+    for (const entry of this.auditLog) {
+      if (entry.allowed) summary.allowed++
+      else summary.denied++
+      summary.byTool[entry.tool] = (summary.byTool[entry.tool] || 0) + 1
+    }
+    return summary
+  }
+}

package/src/security/index.js

@@ -0,0 +1,7 @@
+/**
+ * 安全模块统一导出
+ */
+export { isBlockedAddress, checkHostSafety, checkUrlSafety } from './ssrf-guard.js'
+export { checkBashSafety, formatSafetyReport } from './bash-guard.js'
+export { sanitizePath, checkPathTraversal, checkForbiddenPath, checkPathSafety, checkWritePathSafety } from './path-guard.js'
+export { EnhancedPermissionChecker, PermissionRule, PermissionDecision } from './enhanced-permission.js'