safe-rm 3.1.5 → 3.3.0

package/.github/workflows/nodejs.yml

@@ -23,5 +23,6 @@ jobs:
         npm install
         npm run build --if-present
         npm run test:dev
+        npm run test:mock-linux
       env:
         CI: true

package/README.md

@@ -161,6 +161,51 @@ export SAFE_RM_TRASH=/path/to/trash
 export SAFE_RM_PERM_DEL_FILES_IN_TRASH=yes
 ```
 
+### Restrict Removals To A Safe Directory Scope
+
+```sh
+export SAFE_RM_SCOPE="$HOME"
+```
+
+When `SAFE_RM_SCOPE` is set, `safe-rm` only removes targets under that directory.
+Targets outside the configured scope will be skipped and reported as unsafe.
+
+For example:
+
+```sh
+SAFE_RM_SCOPE="$HOME" safe-rm -rf /
+# rm: target '/' skipped, unsafe directory scope
+```
+
+You could also use a relative scope such as `.`:
+
+```sh
+SAFE_RM_SCOPE=. safe-rm -rf ./foo
+SAFE_RM_SCOPE=. safe-rm -rf ../
+# rm: target '../' skipped, unsafe directory scope
+```
+
+### Honor Options After Operands (`rm dir -rf`)
+
+GNU `rm` (most Linux distros) accepts options anywhere on the command line, so `rm dir -rf` works like `rm -rf dir`. BSD `rm` (MacOS) does not — it stops parsing options at the first operand and would treat `-rf` as a filename.
+
+By default, `safe-rm` mirrors the host's real `rm`:
+
+- On Linux: options after operands are parsed as flags (GNU style).
+- On MacOS: options after operands are treated as filenames (BSD style).
+
+To override the auto-detection (e.g. on Alpine/BusyBox where `rm` does not permute):
+
+```sh
+# Force GNU-style permutation
+export SAFE_RM_OPTIONS_ANYWHERE=yes
+
+# Force BSD-style strict ordering
+export SAFE_RM_OPTIONS_ANYWHERE=no
+```
+
+`--` always terminates option parsing in either mode.
+
 ### Protect Files And Directories From Deleting
 
 If you want to protect some certain files or directories from deleting by mistake, you could create a `.gitignore` file under the `"~/.safe-rm/"` directory, you could write [.gitignore rules](https://git-scm.com/docs/gitignore) inside the file.

package/bin/rm.sh

@@ -20,10 +20,21 @@ fi
 # ```
 SAFE_RM_CONFIG=${SAFE_RM_CONFIG:="$SAFE_RM_CONFIG_ROOT/config"}
 
+SAFE_RM_SCOPE_ENV_DEFINED=
+SAFE_RM_SCOPE_ENV_VALUE=
+if [[ ${SAFE_RM_SCOPE+x} ]]; then
+  SAFE_RM_SCOPE_ENV_DEFINED=1
+  SAFE_RM_SCOPE_ENV_VALUE=$SAFE_RM_SCOPE
+fi
+
 if [[ -f "$SAFE_RM_CONFIG" ]]; then
   source "$SAFE_RM_CONFIG"
 fi
 
+if [[ -n "$SAFE_RM_SCOPE_ENV_DEFINED" ]]; then
+  SAFE_RM_SCOPE=$SAFE_RM_SCOPE_ENV_VALUE
+fi
+
 # Print debug info or not
 SAFE_RM_DEBUG=${SAFE_RM_DEBUG:=}
 
@@ -79,6 +90,25 @@ else
 fi
 
 
+# Whether to honor options after the first operand (`rm dir -rf`).
+# Defaults to auto: enabled on Linux, disabled on MacOS. yes|no to override.
+case ${SAFE_RM_OPTIONS_ANYWHERE:0:1} in
+  [yY])
+    OPTIONS_ANYWHERE=1
+    ;;
+  [nN])
+    OPTIONS_ANYWHERE=
+    ;;
+  *)
+    if [[ "$OS_TYPE" == "Linux" ]]; then
+      OPTIONS_ANYWHERE=1
+    else
+      OPTIONS_ANYWHERE=
+    fi
+    ;;
+esac
+
+
 # The target trash directory to dispose files and directories,
 #   defaults to the system trash directory
 SAFE_RM_TRASH=${SAFE_RM_TRASH:="$DEFAULT_TRASH"}
@@ -259,7 +289,7 @@ while [[ -n $1 ]]; do
     # -> args: [], files: ['-']
     *)
       push_file "$1"; debug "$LINENO: file $1"
-      ARG_END=1
+      [[ -z "$OPTIONS_ANYWHERE" ]] && ARG_END=1
       ;;
     esac
   fi
@@ -351,6 +381,8 @@ check_return_status(){
 remove(){
   local file=$1
 
+  ensure_safe_scope "$file" || return 1
+
   # if is dir
   if [[ -d "$file" && ! -L "$file" ]]; then
 
@@ -492,9 +524,56 @@ do_trash(){
 get_absolute_path(){
   local dir
   local base
-  dir=$(cd "$(dirname -- "$1")" && pwd)
+  if [[ "$1" == "/" ]]; then
+    printf '/\n'
+    return
+  fi
+
+  dir=$(cd "$(dirname -- "$1")" && pwd) || return 1
   base=$(basename -- "$1")
-  printf '%s/%s\n' "$dir" "$base"
+
+  case "$base" in
+    .)
+      printf '%s\n' "$dir"
+      ;;
+
+    ..)
+      dir=$(cd "$dir/.." && pwd) || return 1
+      printf '%s\n' "$dir"
+      ;;
+
+    *)
+      printf '%s/%s\n' "$dir" "$base"
+      ;;
+  esac
+}
+
+
+expand_home_path(){
+  case $1 in
+    "~")
+      printf '%s\n' "$HOME"
+      ;;
+
+    "~/"*)
+      printf '%s/%s\n' "$HOME" "${1#~/}"
+      ;;
+
+    *)
+      printf '%s\n' "$1"
+      ;;
+  esac
+}
+
+
+resolve_directory_path(){
+  local path
+  path=$(expand_home_path "$1")
+
+  (
+    cd "$path" &> /dev/null || exit 1
+    pwd
+  )
 }
 
 
@@ -535,6 +614,44 @@ is_in_trash(){
 }
 
 
+SAFE_RM_SCOPE_ROOT=
+init_safe_rm_scope(){
+  if [[ -z "$SAFE_RM_SCOPE" ]]; then
+    return 0
+  fi
+
+  SAFE_RM_SCOPE_ROOT=$(resolve_directory_path "$SAFE_RM_SCOPE") || {
+    error "$COMMAND: invalid SAFE_RM_SCOPE '$SAFE_RM_SCOPE': not an existing directory"
+    return 1
+  }
+
+  debug "$LINENO: safe rm scope enabled: $SAFE_RM_SCOPE_ROOT"
+}
+
+
+is_in_scope(){
+  local target_abs
+
+  if [[ -z "$SAFE_RM_SCOPE_ROOT" ]]; then
+    return 0
+  fi
+
+  target_abs=$(get_absolute_path "$1") || return 1
+
+  [[ "$target_abs" == "$SAFE_RM_SCOPE_ROOT" || "$target_abs" == "$SAFE_RM_SCOPE_ROOT"/* ]]
+}
+
+
+ensure_safe_scope(){
+  if is_in_scope "$1"; then
+    return 0
+  fi
+
+  error "$COMMAND: target '$1' skipped, unsafe directory scope"
+  return 1
+}
+
+
 # Returns
 # - 0: the target is protected
 # - 1: the target is not protected
@@ -806,6 +923,8 @@ list_files(){
 # debug: get $FILE_NAME array length
 debug "$LINENO: ${#FILE_NAME[@]} files or directory to process: ${FILE_NAME[@]}"
 
+init_safe_rm_scope || do_exit $LINENO 1
+
 # test remove interactive_once: ask for 3 or more files or with recursive option
 if [[ (${#FILE_NAME[@]} > 3 || $OPT_RECURSIVE == 1) && $OPT_INTERACTIVE_ONCE == 1 ]]; then
   echo -n "$COMMAND: remove all arguments? "
@@ -821,6 +940,11 @@ fi
 for file in "${FILE_NAME[@]}"; do
   debug "$LINENO: result file $file"
 
+  if ! ensure_safe_scope "$file"; then
+    EXIT_CODE=1
+    continue
+  fi
+
   if [[ $file == "/" ]]; then
     error "it is dangerous to operate recursively on /"
     error "are you insane?"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "safe-rm",
-  "version": "3.1.5",
+  "version": "3.3.0",
   "description": "A much safer replacement of bash rm with nearly full functionalities and options of the rm command!",
   "bin": {
     "safe-rm": "./bin/rm.sh"

package/test/cases.js

@@ -402,6 +402,149 @@ module.exports = (
     ])
   })
 
+  !is_rm(type) && test(`scope "." allows removing targets under cwd only`, async t => {
+    const {
+      root,
+      source_path,
+      createDir,
+      createFile,
+      runRm,
+      pathExists
+    } = t.context
+
+    const trash = await createDir({
+      name: 'scope-trash-dot',
+      under: root
+    })
+
+    const cwd = await createDir({
+      name: 'scope-cwd',
+      under: source_path
+    })
+
+    const inside = await createDir({
+      name: 'foo',
+      under: cwd
+    })
+
+    await createFile({
+      name: 'bar',
+      under: inside
+    })
+
+    const resultInside = await runRm(['-rf', 'foo'], {
+      cwd,
+      env: {
+        SAFE_RM_SCOPE: '.',
+        SAFE_RM_TRASH: trash
+      }
+    })
+
+    assertEmptySuccess(t, resultInside)
+    t.false(await pathExists(inside), 'in-scope target should be removed')
+
+    const resultOutside = await runRm(['-rf', '../'], {
+      cwd,
+      env: {
+        SAFE_RM_SCOPE: '.',
+        SAFE_RM_TRASH: trash
+      }
+    })
+
+    t.is(resultOutside.code, 1, 'out-of-scope target should fail')
+    t.true(resultOutside.stderr.includes('unsafe directory scope'))
+    t.true(await pathExists(source_path), 'parent directory should remain')
+  })
+
+  !is_rm(type) && test(`scope "~" expands HOME and blocks targets outside home`, async t => {
+    const {
+      root,
+      createDir,
+      createFile,
+      runRm,
+      pathExists
+    } = t.context
+
+    const home = await createDir({
+      name: 'scope-home',
+      under: root
+    })
+
+    const trash = await createDir({
+      name: 'scope-trash-home',
+      under: root
+    })
+
+    const inside = await createFile({
+      name: 'inside-home',
+      under: home
+    })
+
+    const outside = await createFile({
+      name: 'outside-home'
+    })
+
+    const env = {
+      HOME: home,
+      SAFE_RM_SCOPE: '~',
+      SAFE_RM_TRASH: trash
+    }
+
+    const resultInside = await runRm([inside], {
+      env
+    })
+
+    assertEmptySuccess(t, resultInside)
+    t.false(await pathExists(inside), 'home-scoped target should be removed')
+
+    const resultOutside = await runRm([outside], {
+      env
+    })
+
+    t.is(resultOutside.code, 1, 'target outside home scope should fail')
+    t.true(resultOutside.stderr.includes('unsafe directory scope'))
+    t.true(await pathExists(outside), 'out-of-scope file should remain')
+  })
+
+  !is_rm(type) && test(`scope checks symlink path instead of symlink target`, async t => {
+    const {
+      root,
+      createDir,
+      createFile,
+      runRm,
+      pathExists
+    } = t.context
+
+    const trash = await createDir({
+      name: 'scope-trash-link',
+      under: root
+    })
+
+    const cwd = await createDir({
+      name: 'scope-link-cwd',
+      under: root
+    })
+
+    const outsideTarget = await createFile({
+      name: 'scope-link-target'
+    })
+
+    const link = path.join(cwd, 'scope-link')
+    await fs.symlink(outsideTarget, link)
+
+    const result = await runRm(['scope-link'], {
+      cwd,
+      env: {
+        SAFE_RM_SCOPE: '.',
+        SAFE_RM_TRASH: trash
+      }
+    })
+
+    assertEmptySuccess(t, result)
+    t.false(await pathExists(link), 'symlink should be removed')
+    t.true(await pathExists(outsideTarget), 'symlink target should remain')
+  })
+
   !is_rm(type) && !is_as(type) && test(`-I only prompts for more than three files`, async t => {
     const {
       createFile,
@@ -832,4 +975,78 @@ fi
     t.is(result.code, 0, 'exit code should be 0')
     t.false(await pathExists(filepath), 'file should be removed')
   })
+
+  // Flag-after-operand parsing: align with the host's real `rm`.
+  // GNU rm (Linux) permutes options; BSD rm (MacOS) does not.
+  !is_rm(type) && !is_as(type) && !IS_MACOS && test(`Linux: flags after operand parse as options`, async t => {
+    const {
+      createDir,
+      createFile,
+      runRm,
+      pathExists
+    } = t.context
+
+    const dirpath = await createDir()
+    await createFile({under: dirpath})
+
+    const result = await runRm([dirpath, '-rf'])
+
+    assertEmptySuccess(t, result)
+    t.false(await pathExists(dirpath), 'directory should be removed')
+  })
+
+  !is_rm(type) && !is_as(type) && IS_MACOS && test(`MacOS: flags after operand are treated as filenames`, async t => {
+    const {
+      createDir,
+      createFile,
+      runRm,
+      pathExists
+    } = t.context
+
+    const dirpath = await createDir()
+    await createFile({under: dirpath})
+
+    const result = await runRm([dirpath, '-rf'])
+
+    t.is(result.code, 1, 'exit code should be 1')
+    t.true(await pathExists(dirpath), 'directory should remain')
+  })
+
+  !is_rm(type) && !is_as(type) && IS_MACOS && test(`SAFE_RM_OPTIONS_ANYWHERE=yes enables permutation on MacOS`, async t => {
+    const {
+      createDir,
+      createFile,
+      runRm,
+      pathExists
+    } = t.context
+
+    const dirpath = await createDir()
+    await createFile({under: dirpath})
+
+    const result = await runRm([dirpath, '-rf'], {
+      env: {SAFE_RM_OPTIONS_ANYWHERE: 'yes'}
+    })
+
+    assertEmptySuccess(t, result)
+    t.false(await pathExists(dirpath), 'directory should be removed')
+  })
+
+  !is_rm(type) && !is_as(type) && !IS_MACOS && test(`SAFE_RM_OPTIONS_ANYWHERE=no disables permutation on Linux`, async t => {
+    const {
+      createDir,
+      createFile,
+      runRm,
+      pathExists
+    } = t.context
+
+    const dirpath = await createDir()
+    await createFile({under: dirpath})
+
+    const result = await runRm([dirpath, '-rf'], {
+      env: {SAFE_RM_OPTIONS_ANYWHERE: 'no'}
+    })
+
+    t.is(result.code, 1, 'exit code should be 1')
+    t.true(await pathExists(dirpath), 'directory should remain')
+  })
 }