safe-rm 3.1.5 → 3.2.0

package/README.md

@@ -161,6 +161,31 @@ export SAFE_RM_TRASH=/path/to/trash
 export SAFE_RM_PERM_DEL_FILES_IN_TRASH=yes
 ```
 
+### Restrict Removals To A Safe Directory Scope
+
+```sh
+export SAFE_RM_SCOPE="$HOME"
+```
+
+When `SAFE_RM_SCOPE` is set, `safe-rm` only removes targets under that directory.
+Targets outside the configured scope will be skipped and reported as unsafe.
+
+For example:
+
+```sh
+export SAFE_RM_SCOPE="$HOME"
+safe-rm -rf /
+# rm: target '/' skipped, unsafe directory scope
+```
+
+You could also use a relative scope such as `.`:
+
+```sh
+SAFE_RM_SCOPE=. safe-rm -rf ./foo
+SAFE_RM_SCOPE=. safe-rm -rf ../
+# rm: target '../' skipped, unsafe directory scope
+```
+
 ### Protect Files And Directories From Deleting
 
 If you want to protect some certain files or directories from deleting by mistake, you could create a `.gitignore` file under the `"~/.safe-rm/"` directory, you could write [.gitignore rules](https://git-scm.com/docs/gitignore) inside the file.

package/bin/rm.sh

@@ -20,10 +20,21 @@ fi
 # ```
 SAFE_RM_CONFIG=${SAFE_RM_CONFIG:="$SAFE_RM_CONFIG_ROOT/config"}
 
+SAFE_RM_SCOPE_ENV_DEFINED=
+SAFE_RM_SCOPE_ENV_VALUE=
+if [[ ${SAFE_RM_SCOPE+x} ]]; then
+  SAFE_RM_SCOPE_ENV_DEFINED=1
+  SAFE_RM_SCOPE_ENV_VALUE=$SAFE_RM_SCOPE
+fi
+
 if [[ -f "$SAFE_RM_CONFIG" ]]; then
   source "$SAFE_RM_CONFIG"
 fi
 
+if [[ -n "$SAFE_RM_SCOPE_ENV_DEFINED" ]]; then
+  SAFE_RM_SCOPE=$SAFE_RM_SCOPE_ENV_VALUE
+fi
+
 # Print debug info or not
 SAFE_RM_DEBUG=${SAFE_RM_DEBUG:=}
 
@@ -351,6 +362,8 @@ check_return_status(){
 remove(){
   local file=$1
 
+  ensure_safe_scope "$file" || return 1
+
   # if is dir
   if [[ -d "$file" && ! -L "$file" ]]; then
 
@@ -492,9 +505,56 @@ do_trash(){
 get_absolute_path(){
   local dir
   local base
-  dir=$(cd "$(dirname -- "$1")" && pwd)
+  if [[ "$1" == "/" ]]; then
+    printf '/\n'
+    return
+  fi
+
+  dir=$(cd "$(dirname -- "$1")" && pwd) || return 1
   base=$(basename -- "$1")
-  printf '%s/%s\n' "$dir" "$base"
+
+  case "$base" in
+    .)
+      printf '%s\n' "$dir"
+      ;;
+
+    ..)
+      dir=$(cd "$dir/.." && pwd) || return 1
+      printf '%s\n' "$dir"
+      ;;
+
+    *)
+      printf '%s/%s\n' "$dir" "$base"
+      ;;
+  esac
+}
+
+
+expand_home_path(){
+  case $1 in
+    "~")
+      printf '%s\n' "$HOME"
+      ;;
+
+    "~/"*)
+      printf '%s/%s\n' "$HOME" "${1#~/}"
+      ;;
+
+    *)
+      printf '%s\n' "$1"
+      ;;
+  esac
+}
+
+
+resolve_directory_path(){
+  local path
+  path=$(expand_home_path "$1")
+
+  (
+    cd "$path" &> /dev/null || exit 1
+    pwd
+  )
 }
 
 
@@ -535,6 +595,44 @@ is_in_trash(){
 }
 
 
+SAFE_RM_SCOPE_ROOT=
+init_safe_rm_scope(){
+  if [[ -z "$SAFE_RM_SCOPE" ]]; then
+    return 0
+  fi
+
+  SAFE_RM_SCOPE_ROOT=$(resolve_directory_path "$SAFE_RM_SCOPE") || {
+    error "$COMMAND: invalid SAFE_RM_SCOPE '$SAFE_RM_SCOPE': not an existing directory"
+    return 1
+  }
+
+  debug "$LINENO: safe rm scope enabled: $SAFE_RM_SCOPE_ROOT"
+}
+
+
+is_in_scope(){
+  local target_abs
+
+  if [[ -z "$SAFE_RM_SCOPE_ROOT" ]]; then
+    return 0
+  fi
+
+  target_abs=$(get_absolute_path "$1") || return 1
+
+  [[ "$target_abs" == "$SAFE_RM_SCOPE_ROOT" || "$target_abs" == "$SAFE_RM_SCOPE_ROOT"/* ]]
+}
+
+
+ensure_safe_scope(){
+  if is_in_scope "$1"; then
+    return 0
+  fi
+
+  error "$COMMAND: target '$1' skipped, unsafe directory scope"
+  return 1
+}
+
+
 # Returns
 # - 0: the target is protected
 # - 1: the target is not protected
@@ -806,6 +904,8 @@ list_files(){
 # debug: get $FILE_NAME array length
 debug "$LINENO: ${#FILE_NAME[@]} files or directory to process: ${FILE_NAME[@]}"
 
+init_safe_rm_scope || do_exit $LINENO 1
+
 # test remove interactive_once: ask for 3 or more files or with recursive option
 if [[ (${#FILE_NAME[@]} > 3 || $OPT_RECURSIVE == 1) && $OPT_INTERACTIVE_ONCE == 1 ]]; then
   echo -n "$COMMAND: remove all arguments? "
@@ -821,6 +921,11 @@ fi
 for file in "${FILE_NAME[@]}"; do
   debug "$LINENO: result file $file"
 
+  if ! ensure_safe_scope "$file"; then
+    EXIT_CODE=1
+    continue
+  fi
+
   if [[ $file == "/" ]]; then
     error "it is dangerous to operate recursively on /"
     error "are you insane?"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "safe-rm",
-  "version": "3.1.5",
+  "version": "3.2.0",
   "description": "A much safer replacement of bash rm with nearly full functionalities and options of the rm command!",
   "bin": {
     "safe-rm": "./bin/rm.sh"

package/test/cases.js

@@ -402,6 +402,149 @@ module.exports = (
     ])
   })
 
+  !is_rm(type) && test(`scope "." allows removing targets under cwd only`, async t => {
+    const {
+      root,
+      source_path,
+      createDir,
+      createFile,
+      runRm,
+      pathExists
+    } = t.context
+
+    const trash = await createDir({
+      name: 'scope-trash-dot',
+      under: root
+    })
+
+    const cwd = await createDir({
+      name: 'scope-cwd',
+      under: source_path
+    })
+
+    const inside = await createDir({
+      name: 'foo',
+      under: cwd
+    })
+
+    await createFile({
+      name: 'bar',
+      under: inside
+    })
+
+    const resultInside = await runRm(['-rf', 'foo'], {
+      cwd,
+      env: {
+        SAFE_RM_SCOPE: '.',
+        SAFE_RM_TRASH: trash
+      }
+    })
+
+    assertEmptySuccess(t, resultInside)
+    t.false(await pathExists(inside), 'in-scope target should be removed')
+
+    const resultOutside = await runRm(['-rf', '../'], {
+      cwd,
+      env: {
+        SAFE_RM_SCOPE: '.',
+        SAFE_RM_TRASH: trash
+      }
+    })
+
+    t.is(resultOutside.code, 1, 'out-of-scope target should fail')
+    t.true(resultOutside.stderr.includes('unsafe directory scope'))
+    t.true(await pathExists(source_path), 'parent directory should remain')
+  })
+
+  !is_rm(type) && test(`scope "~" expands HOME and blocks targets outside home`, async t => {
+    const {
+      root,
+      createDir,
+      createFile,
+      runRm,
+      pathExists
+    } = t.context
+
+    const home = await createDir({
+      name: 'scope-home',
+      under: root
+    })
+
+    const trash = await createDir({
+      name: 'scope-trash-home',
+      under: root
+    })
+
+    const inside = await createFile({
+      name: 'inside-home',
+      under: home
+    })
+
+    const outside = await createFile({
+      name: 'outside-home'
+    })
+
+    const env = {
+      HOME: home,
+      SAFE_RM_SCOPE: '~',
+      SAFE_RM_TRASH: trash
+    }
+
+    const resultInside = await runRm([inside], {
+      env
+    })
+
+    assertEmptySuccess(t, resultInside)
+    t.false(await pathExists(inside), 'home-scoped target should be removed')
+
+    const resultOutside = await runRm([outside], {
+      env
+    })
+
+    t.is(resultOutside.code, 1, 'target outside home scope should fail')
+    t.true(resultOutside.stderr.includes('unsafe directory scope'))
+    t.true(await pathExists(outside), 'out-of-scope file should remain')
+  })
+
+  !is_rm(type) && test(`scope checks symlink path instead of symlink target`, async t => {
+    const {
+      root,
+      createDir,
+      createFile,
+      runRm,
+      pathExists
+    } = t.context
+
+    const trash = await createDir({
+      name: 'scope-trash-link',
+      under: root
+    })
+
+    const cwd = await createDir({
+      name: 'scope-link-cwd',
+      under: root
+    })
+
+    const outsideTarget = await createFile({
+      name: 'scope-link-target'
+    })
+
+    const link = path.join(cwd, 'scope-link')
+    await fs.symlink(outsideTarget, link)
+
+    const result = await runRm(['scope-link'], {
+      cwd,
+      env: {
+        SAFE_RM_SCOPE: '.',
+        SAFE_RM_TRASH: trash
+      }
+    })
+
+    assertEmptySuccess(t, result)
+    t.false(await pathExists(link), 'symlink should be removed')
+    t.true(await pathExists(outsideTarget), 'symlink target should remain')
+  })
+
   !is_rm(type) && !is_as(type) && test(`-I only prompts for more than three files`, async t => {
     const {
       createFile,