wormclaude 1.0.145 → 1.0.146
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cmdsec.js +24 -5
- package/dist/theme.js +1 -1
- package/dist/tools.js +1 -1
- package/package.json +1 -1
package/dist/cmdsec.js
CHANGED
|
@@ -167,6 +167,23 @@ const DANGER = [
|
|
|
167
167
|
{ re: /\bmv\s+[^\n]*\s+\/dev\/null\b/, reason: 'Veriyi /dev/null\'a taşıma' },
|
|
168
168
|
{ re: />\s*\/dev\/null\s+2>&1\s*;\s*rm/, reason: 'Gizli silme' },
|
|
169
169
|
];
|
|
170
|
+
// ── Windows tehlikeli komutlar (HARD DENY) — kullanıcı Windows'ta ──────────
|
|
171
|
+
// Yalnız SİSTEM / sürücü-kökü hedefleri engellenir; proje altı (C:\Users\...\build)
|
|
172
|
+
// silmeleri meşrudur → onay akışına düşer, hard-deny EDİLMEZ.
|
|
173
|
+
const WIN_SYS = '(?:[a-zA-Z]:\\\\?(?:windows\\b|program\\s?files(?:\\s?\\(x86\\))?\\b|programdata\\b)' + // C:\Windows, C:\Program Files, C:\ProgramData
|
|
174
|
+
'|[a-zA-Z]:\\\\?(?:["\'\\s]|$)' + // C:\ (sürücü kökü)
|
|
175
|
+
'|system32\\b|%(?:systemroot|windir|systemdrive)%|\\$env:(?:windir|systemroot|systemdrive))';
|
|
176
|
+
const WIN_DANGER = [
|
|
177
|
+
// del / erase / rd / rmdir /s → sistem ya da sürücü kökü
|
|
178
|
+
{ re: new RegExp('\\b(?:del|erase|rd|rmdir)\\b(?=[\\s\\S]*\\s/s\\b)[\\s\\S]*?' + WIN_SYS, 'i'),
|
|
179
|
+
reason: 'Windows sistem/sürücü kökünde özyinelemeli silme (del/rd /s)' },
|
|
180
|
+
// Remove-Item (alias ri/rm/del) -Recurse [-Force] → sistem ya da sürücü kökü
|
|
181
|
+
{ re: new RegExp('\\b(?:remove-item|ri|rm|rmdir|rd|del)\\b(?=[\\s\\S]*-(?:recurse|r)\\b)[\\s\\S]*?' + WIN_SYS, 'i'),
|
|
182
|
+
reason: 'Windows kök/sistem yolunda Remove-Item -Recurse' },
|
|
183
|
+
{ re: /\bformat\b\s+[a-zA-Z]:/i, reason: 'Disk biçimlendirme (format)' },
|
|
184
|
+
{ re: /\bFormat-Volume\b/i, reason: 'Disk biçimlendirme (Format-Volume)' },
|
|
185
|
+
{ re: /\b(?:Stop-Computer|Restart-Computer|shutdown(?:\.exe)?\b|Clear-Disk|Remove-Partition)\b/i, reason: 'Sistemi kapatma/disk temizleme' },
|
|
186
|
+
];
|
|
170
187
|
// ── Read-only komut tespiti (shellReadOnlyChecker.js'ten — sağlam) ──────────
|
|
171
188
|
const READONLY_ROOTS = new Set([
|
|
172
189
|
'awk', 'basename', 'cat', 'cd', 'column', 'cut', 'df', 'dirname', 'du', 'echo', 'env', 'find',
|
|
@@ -278,15 +295,17 @@ export function isShellCommandReadOnly(command) {
|
|
|
278
295
|
return segs.length > 0 && segs.every(cmdIsReadOnly);
|
|
279
296
|
}
|
|
280
297
|
// ── Asıl güvenlik motoru ───────────────────────────────────────────────────
|
|
281
|
-
export function checkCommand(rawCommand) {
|
|
298
|
+
export function checkCommand(rawCommand, opts) {
|
|
282
299
|
const command = stripShellWrapper(String(rawCommand || ''));
|
|
283
300
|
const roots = getCommandRoots(command);
|
|
284
|
-
|
|
285
|
-
|
|
301
|
+
const shell = opts?.shell;
|
|
302
|
+
// 1) Command substitution -> HARD DENY (yalnız bash/sh için; PowerShell'de `$()` ve backtick
|
|
303
|
+
// NORMAL sözdizimidir — alt-ifade / escape — bash komut-ikamesi değil → atla).
|
|
304
|
+
if (shell !== 'powershell' && detectCommandSubstitution(command)) {
|
|
286
305
|
return { decision: 'deny', reason: 'Komut ikamesi ($(), <(), backtick) güvenlik nedeniyle engellendi', roots };
|
|
287
306
|
}
|
|
288
|
-
// 2) Tehlikeli blocklist -> HARD DENY
|
|
289
|
-
for (const d of DANGER) {
|
|
307
|
+
// 2) Tehlikeli blocklist (POSIX + Windows) -> HARD DENY
|
|
308
|
+
for (const d of [...DANGER, ...WIN_DANGER]) {
|
|
290
309
|
try {
|
|
291
310
|
if (d.re instanceof RegExp && d.re.test(command))
|
|
292
311
|
return { decision: 'deny', reason: d.reason, roots };
|
package/dist/theme.js
CHANGED
package/dist/tools.js
CHANGED
|
@@ -694,7 +694,7 @@ async function execOne(call, hooks) {
|
|
|
694
694
|
}
|
|
695
695
|
// 3.5) Komut güvenliği (Bash/PowerShell) — cmdsec: deny→blokla, allow→izinsiz, confirm→izin akışı
|
|
696
696
|
if ((call.name === 'Bash' || call.name === 'PowerShell') && args && args.command) {
|
|
697
|
-
const chk = checkCommand(String(args.command));
|
|
697
|
+
const chk = checkCommand(String(args.command), { shell: call.name === 'PowerShell' ? 'powershell' : 'bash' });
|
|
698
698
|
if (chk.decision === 'deny') {
|
|
699
699
|
return { ok: false, output: `⛔ Güvenlik: komut engellendi — ${chk.reason || 'tehlikeli komut'}`, args };
|
|
700
700
|
}
|