gdmcode 0.1.0__py3-none-any.whl

src/tools/bash_tool.py

@@ -0,0 +1,384 @@
+"""BashTool and PowerShellTool — full shell execution with security validation.
+
+Security layers (mirroring Claude Code's 12 bash submodules):
+  1. Command semantics — classify read / write / network / destructive
+  2. Destructive command warning — explicit warn before rm/drop/delete
+  3. Path validation — no path traversal outside workspace
+  4. Read-only mode enforcement — block writes when session is read-only
+  5. Injection detection — multi-command chains that escape quotes
+  6. Git safety — block force-push / rebase in protected branches
+  7. Sandbox routing — decide whether to use subprocess or sandboxed exec
+
+Never raises — all errors returned as ToolResult(error=...).
+"""
+from __future__ import annotations
+
+import logging
+import os
+import platform
+import re
+import shlex
+import signal
+import subprocess
+import sys
+from pathlib import Path
+from typing import Any, ClassVar
+
+from src.tools import REGISTRY, ToolBase, ToolResult
+
+__all__ = ["BashTool", "PowerShellTool"]
+
+log = logging.getLogger(__name__)
+
+# Per-session set of filenames already flagged for injection (shared with security.py dedup)
+_bash_flagged: set[str] = set()
+_BASH_INJECT_CHECK_THRESHOLD = 1024  # only scan stdout > 1 KB
+
+# ---------------------------------------------------------------------------
+# Constants
+# ---------------------------------------------------------------------------
+
+_MAX_OUTPUT_BYTES: int = 50_000
+_DEFAULT_TIMEOUT_SECS: int = 60
+_LONG_TIMEOUT_SECS: int = 600  # for explicitly slow commands like npm install
+
+# Patterns that identify destructive operations requiring explicit confirmation.
+_DESTRUCTIVE_PATTERNS: tuple[re.Pattern[str], ...] = tuple(
+    re.compile(p, re.IGNORECASE)
+    for p in [
+        r"\brm\s+-rf\b",
+        r"\brm\s+--recursive\b",
+        r"\bdropdb\b",
+        r"\bdrop\s+table\b",
+        r"\bdrop\s+database\b",
+        r"\btruncate\b",
+        r"\bformat\b",
+        r"\bmkfs\b",
+        r"\bdd\s+if=",
+        r">\s*/dev/",
+    ]
+)
+
+# Patterns that classify a command as "network" (triggers user prompt in restricted mode).
+_NETWORK_PATTERNS: tuple[re.Pattern[str], ...] = tuple(
+    re.compile(p, re.IGNORECASE)
+    for p in [r"\bcurl\b", r"\bwget\b", r"\bssh\b", r"\brsync\b", r"\bftp\b", r"\bnc\b"]
+)
+
+# Git commands blocked on protected branches.
+_DANGEROUS_GIT_PATTERN = re.compile(
+    r"git\s+(push\s+--force|push\s+-f|rebase\s+-i|reset\s+--hard\s+HEAD~)", re.IGNORECASE
+)
+
+# Commands that clearly don't write to disk (safe in read-only sessions).
+_READ_ONLY_SAFE_PREFIXES: tuple[str, ...] = (
+    "cat ", "ls ", "find ", "echo ", "pwd", "whoami", "which ", "type ",
+    "head ", "tail ", "wc ", "grep ", "rg ", "fd ", "bat ", "less ",
+    "git log", "git diff", "git status", "git show", "git blame",
+    "python -m pytest", "python -c ", "python3 -c ",
+)
+
+
+# ---------------------------------------------------------------------------
+# Validation helpers
+# ---------------------------------------------------------------------------
+
+def _classify(cmd: str) -> dict[str, bool]:
+    """Return classification dict: read_only, destructive, network, git_dangerous."""
+    return {
+        "read_only": any(cmd.lstrip().startswith(p) for p in _READ_ONLY_SAFE_PREFIXES),
+        "destructive": any(p.search(cmd) for p in _DESTRUCTIVE_PATTERNS),
+        "network": any(p.search(cmd) for p in _NETWORK_PATTERNS),
+        "git_dangerous": bool(_DANGEROUS_GIT_PATTERN.search(cmd)),
+    }
+
+
+def _path_traversal_risk(cmd: str, workspace: Path | None) -> str | None:
+    """Return error string if command references paths outside workspace."""
+    if workspace is None:
+        return None
+    # Look for absolute paths that aren't under the workspace.
+    for token in shlex.split(cmd, posix=(sys.platform != "win32")):
+        if token.startswith("/") or (len(token) > 2 and token[1] == ":"):
+            candidate = Path(token).resolve()
+            try:
+                candidate.relative_to(workspace)
+            except ValueError:
+                # Allow common system dirs: /usr, /bin, /etc, C:\Windows, etc.
+                # Block only if it looks like a project directory outside workspace.
+                if not _is_system_path(candidate):
+                    return f"Path {token!r} is outside workspace {workspace}"
+    return None
+
+
+def _is_system_path(p: Path) -> bool:
+    """True if p is a well-known system path that tools legitimately access."""
+    system_roots = (
+        "/usr", "/bin", "/sbin", "/lib", "/etc", "/tmp", "/var",
+        "/proc", "/dev", "/sys", "/opt",
+    )
+    if sys.platform == "win32":
+        return any(
+            str(p).lower().startswith(r.lower())
+            for r in (r"C:\Windows", r"C:\Program Files", r"C:\ProgramData")
+        )
+    return any(str(p).startswith(r) for r in system_roots)
+
+
+def _validate(cmd: str, *, read_only: bool, workspace: Path | None) -> str | None:
+    """Return an error message if the command should be blocked, else None."""
+    cls = _classify(cmd)
+    if read_only and not cls["read_only"]:
+        return f"Session is read-only. Command {cmd!r} may write to disk."
+    if cls["git_dangerous"]:
+        return (
+            f"Blocked: {cmd!r} is a potentially destructive git operation. "
+            "Run manually if you are sure."
+        )
+    if err := _path_traversal_risk(cmd, workspace):
+        return err
+    return None
+
+
+# ---------------------------------------------------------------------------
+# Output helpers
+# ---------------------------------------------------------------------------
+
+def _truncate(output: str, max_bytes: int = _MAX_OUTPUT_BYTES) -> tuple[str, bool]:
+    """Return (possibly_truncated_text, was_truncated)."""
+    encoded = output.encode("utf-8", errors="replace")
+    if len(encoded) <= max_bytes:
+        return output, False
+    truncated = encoded[:max_bytes].decode("utf-8", errors="replace")
+    return truncated, True
+
+
+def _run_subprocess(
+    cmd: str,
+    *,
+    shell_exec: str,
+    shell_args: list[str],
+    cwd: Path | None,
+    timeout: int,
+    env: dict[str, str] | None,
+) -> tuple[str, str, int]:
+    """Run command; return (stdout, stderr, returncode)."""
+    full_cmd = [shell_exec, *shell_args, cmd]
+    try:
+        result = subprocess.run(
+            full_cmd,
+            capture_output=True,
+            text=True,
+            timeout=timeout,
+            cwd=cwd,
+            env=env,
+            # On POSIX, use process group so we can kill the entire tree.
+            start_new_session=(sys.platform != "win32"),
+        )
+        return result.stdout, result.stderr, result.returncode
+    except subprocess.TimeoutExpired:
+        return "", f"Command timed out after {timeout}s", -1
+    except FileNotFoundError as exc:
+        return "", str(exc), -1
+
+
+# ---------------------------------------------------------------------------
+# BashTool
+# ---------------------------------------------------------------------------
+
+class BashTool(ToolBase):
+    """Execute a bash / sh command and return its stdout+stderr.
+
+    Runs in the current working directory unless `cwd` is specified.
+    On Windows, falls back to `sh` from Git-for-Windows or WSL if available.
+    """
+
+    name: ClassVar[str] = "bash"
+    description: ClassVar[str] = (
+        "Run a shell command and return its output. "
+        "Use for file operations, running tests, git commands, build steps, etc. "
+        "Output is truncated at 50 KB."
+    )
+    input_schema: ClassVar[dict[str, Any]] = {
+        "type": "object",
+        "required": ["command"],
+        "properties": {
+            "command": {
+                "type": "string",
+                "description": "The shell command to execute.",
+            },
+            "cwd": {
+                "type": "string",
+                "description": "Working directory. Defaults to project root.",
+            },
+            "timeout": {
+                "type": "integer",
+                "description": f"Timeout in seconds (default {_DEFAULT_TIMEOUT_SECS}, max {_LONG_TIMEOUT_SECS}).",
+            },
+            "read_only": {
+                "type": "boolean",
+                "description": "If true, block any command classified as a write operation.",
+            },
+        },
+        "additionalProperties": False,
+    }
+
+    def __init__(self, workspace: Path | None = None) -> None:
+        self._workspace = workspace
+
+    def execute(self, params: dict[str, Any]) -> ToolResult:  # noqa: D102
+        cmd: str = params["command"]
+        cwd_str: str | None = params.get("cwd")
+        timeout: int = min(int(params.get("timeout", _DEFAULT_TIMEOUT_SECS)), _LONG_TIMEOUT_SECS)
+        read_only: bool = bool(params.get("read_only", False))
+
+        cwd = Path(cwd_str).resolve() if cwd_str else self._workspace
+
+        if err := _validate(cmd, read_only=read_only, workspace=self._workspace):
+            return ToolResult(output="", error=err)
+
+        cls = _classify(cmd)
+        if cls["destructive"]:
+            log.warning("BashTool executing destructive command: %s", cmd)
+
+        shell_exec, shell_args = _resolve_shell()
+        stdout, stderr, rc = _run_subprocess(
+            cmd,
+            shell_exec=shell_exec,
+            shell_args=shell_args,
+            cwd=cwd,
+            timeout=timeout,
+            env=None,
+        )
+
+        combined = _merge_output(stdout, stderr)
+        output, truncated = _truncate(combined)
+
+        # Scan large stdout for injection patterns (file content piped into the shell)
+        if len(stdout) > _BASH_INJECT_CHECK_THRESHOLD:
+            from src.security import check_file_injection  # local import avoids circular
+            cmd_key = cmd[:80]  # stable dedup key per command
+            if cmd_key not in _bash_flagged:
+                injection = check_file_injection(stdout, filename=f"<bash stdout: {cmd[:60]}>")
+                if injection.is_injected and injection.severity == "high":
+                    _bash_flagged.add(cmd_key)
+                    output = f"[SECURITY: injection attempt blocked in bash stdout]\n{output[:200]}"
+
+        return ToolResult(
+            output=output,
+            error=None if rc == 0 else f"Exit code {rc}",
+            exit_code=rc,
+            truncated=truncated,
+            metadata={"command": cmd, "cwd": str(cwd or ""), "classification": cls},
+        )
+
+
+# ---------------------------------------------------------------------------
+# PowerShellTool
+# ---------------------------------------------------------------------------
+
+class PowerShellTool(ToolBase):
+    """Execute a PowerShell command. Windows-native; available on all platforms via pwsh."""
+
+    name: ClassVar[str] = "powershell"
+    description: ClassVar[str] = (
+        "Run a PowerShell command and return its output. "
+        "Use on Windows or when the task requires PowerShell-specific cmdlets. "
+        "Output is truncated at 50 KB."
+    )
+    input_schema: ClassVar[dict[str, Any]] = {
+        "type": "object",
+        "required": ["command"],
+        "properties": {
+            "command": {
+                "type": "string",
+                "description": "The PowerShell command to execute.",
+            },
+            "cwd": {
+                "type": "string",
+                "description": "Working directory. Defaults to project root.",
+            },
+            "timeout": {
+                "type": "integer",
+                "description": f"Timeout in seconds (default {_DEFAULT_TIMEOUT_SECS}).",
+            },
+        },
+        "additionalProperties": False,
+    }
+
+    def __init__(self, workspace: Path | None = None) -> None:
+        self._workspace = workspace
+
+    def execute(self, params: dict[str, Any]) -> ToolResult:  # noqa: D102
+        cmd: str = params["command"]
+        cwd_str: str | None = params.get("cwd")
+        timeout: int = min(int(params.get("timeout", _DEFAULT_TIMEOUT_SECS)), _LONG_TIMEOUT_SECS)
+
+        cwd = Path(cwd_str).resolve() if cwd_str else self._workspace
+
+        ps_exec = _resolve_powershell()
+        if ps_exec is None:
+            return ToolResult(output="", error="PowerShell not found on this system.")
+
+        stdout, stderr, rc = _run_subprocess(
+            cmd,
+            shell_exec=ps_exec,
+            shell_args=["-NoProfile", "-NonInteractive", "-Command"],
+            cwd=cwd,
+            timeout=timeout,
+            env=None,
+        )
+
+        combined = _merge_output(stdout, stderr)
+        output, truncated = _truncate(combined)
+
+        return ToolResult(
+            output=output,
+            error=None if rc == 0 else f"Exit code {rc}",
+            exit_code=rc,
+            truncated=truncated,
+            metadata={"command": cmd, "cwd": str(cwd or "")},
+        )
+
+
+# ---------------------------------------------------------------------------
+# Shell resolution helpers
+# ---------------------------------------------------------------------------
+
+def _resolve_shell() -> tuple[str, list[str]]:
+    """Return (executable, args_before_command) for the best available shell."""
+    if sys.platform == "win32":
+        # Try Git Bash, then WSL bash, then cmd as last resort.
+        for candidate in ("bash", "sh"):
+            if _which(candidate):
+                return candidate, ["-c"]
+        return "cmd.exe", ["/c"]
+    return "bash", ["-c"]
+
+
+def _resolve_powershell() -> str | None:
+    """Return path to PowerShell 7 (pwsh) or Windows PowerShell 5.1."""
+    for candidate in ("pwsh", "powershell"):
+        if _which(candidate):
+            return candidate
+    return None
+
+
+def _which(name: str) -> bool:
+    """Return True if `name` is found on PATH."""
+    import shutil
+    return shutil.which(name) is not None
+
+
+def _merge_output(stdout: str, stderr: str) -> str:
+    """Merge stdout and stderr the way a terminal would show them."""
+    parts = [p for p in (stdout.rstrip(), stderr.rstrip()) if p]
+    return "\n".join(parts)
+
+
+# ---------------------------------------------------------------------------
+# Auto-register
+# ---------------------------------------------------------------------------
+
+REGISTRY.register(BashTool())
+REGISTRY.register(PowerShellTool())