@zhongqian97-code/ecode 0.3.5 → 0.3.7

package/dist/index.js

@@ -258,8 +258,9 @@ var ALLOWLIST = [
   "date",
   "whoami",
   "which",
-  "env",
   "printenv"
+  // "env" 故意排除：env <CMD> 会执行任意子命令，不适合 allow 级别。
+  // 仅显示环境变量的 printenv 保留在白名单。
 ];
 var DEFAULT_DANGER_LIST = [
   "rm -rf",
@@ -284,7 +285,10 @@ var INDIRECT_EXEC_LIST = [
   "python3 -c",
   "node -e",
   "perl -e",
-  "ruby -e"
+  "ruby -e",
+  // eval 执行任意字符串作为 shell 命令，无论 payload 内容如何都视为危险。
+  // 与 xargs/python -c 的性质相同：执行能力本身就是风险。
+  "eval"
 ];
 function hasFindExec(cmd) {
   return /^find(\s|$)/.test(cmd) && /\s-exec(\s|$)/.test(cmd);
@@ -348,22 +352,70 @@ function splitByControlOps(cmd) {
 }
 function stripShellWrapper(cmd) {
   const trimmed = cmd.trim();
-  const dq = trimmed.match(/^(?:bash|sh)\s+-c\s+"((?:[^"\\]|\\.)*)"/);
-  if (dq) return dq[1];
-  const sq = trimmed.match(/^(?:bash|sh)\s+-c\s+'([^']*)'/);
-  if (sq) return sq[1];
-  const nq = trimmed.match(/^(?:bash|sh)\s+-c\s+(\S+)/);
-  if (nq) return nq[1];
+  const shellMatch = trimmed.match(/^(bash|sh)\s+([\s\S]*)/);
+  if (!shellMatch) return trimmed;
+  let rest = shellMatch[2];
+  let hasCFlag = false;
+  while (rest.length > 0) {
+    const flagMatch = rest.match(/^(-\w+)\s*([\s\S]*)/);
+    if (!flagMatch) break;
+    const flag = flagMatch[1];
+    rest = flagMatch[2];
+    if (flag.includes("c")) {
+      hasCFlag = true;
+      rest = rest.trimStart();
+      break;
+    }
+    rest = rest.trimStart();
+  }
+  if (!hasCFlag || !rest.length) return trimmed;
+  if (rest.startsWith('"')) {
+    const m = rest.match(/^"((?:[^"\\]|\\.)*)"/);
+    if (m) return m[1];
+  } else if (rest.startsWith("'")) {
+    const m = rest.match(/^'([^']*)'/);
+    if (m) return m[1];
+  } else {
+    const m = rest.match(/^(\S+)/);
+    if (m) return m[1];
+  }
+  return trimmed;
+}
+function stripEnvWrapper(cmd) {
+  const trimmed = cmd.trim();
+  if (!trimmed.startsWith("env ") && trimmed !== "env") return trimmed;
+  let rest = trimmed.slice(3).trimStart();
+  while (rest.length > 0) {
+    const assignMatch = rest.match(/^(\w+=\S*)\s*([\s\S]*)/);
+    if (!assignMatch) break;
+    rest = assignMatch[2].trimStart();
+  }
+  if (!rest.length) return trimmed;
+  return rest;
+}
+function stripCommandWrapper(cmd) {
+  const trimmed = cmd.trim();
+  const m = trimmed.match(/^command\s+([\s\S]+)/);
+  if (m) return m[1].trimStart();
   return trimmed;
 }
 function classifyCommand(cmd, dangerPatterns, _depth = 0) {
   const trimmed = cmd.trim();
   const patterns = dangerPatterns ?? DEFAULT_DANGER_LIST;
   if (_depth < 5) {
-    const inner = stripShellWrapper(trimmed);
-    if (inner !== trimmed) {
-      const innerClass = classifyCommand(inner.trim(), dangerPatterns, _depth + 1);
-      if (innerClass === "danger") return "danger";
+    const shellInner = stripShellWrapper(trimmed);
+    if (shellInner !== trimmed) {
+      if (classifyCommand(shellInner.trim(), dangerPatterns, _depth + 1) === "danger") return "danger";
+      return "normal";
+    }
+    const envInner = stripEnvWrapper(trimmed);
+    if (envInner !== trimmed) {
+      if (classifyCommand(envInner.trim(), dangerPatterns, _depth + 1) === "danger") return "danger";
+      return "normal";
+    }
+    const commandInner = stripCommandWrapper(trimmed);
+    if (commandInner !== trimmed) {
+      if (classifyCommand(commandInner.trim(), dangerPatterns, _depth + 1) === "danger") return "danger";
       return "normal";
     }
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zhongqian97-code/ecode",
-  "version": "0.3.5",
+  "version": "0.3.7",
   "description": "A minimal Claude Code clone with REPL interface and bash tool calling",
   "type": "module",
   "author": "zhongqian97-code",