holmesgpt 0.13.0__py3-none-any.whl → 0.13.2__py3-none-any.whl

holmes/plugins/toolsets/bash/azure/constants.py

@@ -0,0 +1,339 @@
+ALLOWED_AZURE_COMMANDS: dict[str, dict] = {
+    # Basic account and resource management (read-only)
+    "account": {"list": {}, "show": {}, "list-locations": {}, "tenant": {"list": {}}},
+    "group": {"list": {}, "show": {}, "exists": {}},
+    "resource": {"list": {}, "show": {}},
+    # Virtual Machine commands (read-only)
+    "vm": {
+        "list": {},
+        "show": {},
+        "list-ip-addresses": {},
+        "list-sizes": {},
+        "list-skus": {},
+        "list-usage": {},
+        "list-vm-resize-options": {},
+        "get-instance-view": {},
+    },
+    # Network commands (read-only)
+    "network": {
+        "vnet": {"list": {}, "show": {}, "subnet": {"list": {}, "show": {}}},
+        "nsg": {"list": {}, "show": {}, "rule": {"list": {}, "show": {}}},
+        "public-ip": {"list": {}, "show": {}},
+        "lb": {
+            "list": {},
+            "show": {},
+            "frontend-ip": {"list": {}, "show": {}},
+            "rule": {"list": {}, "show": {}},
+        },
+        "application-gateway": {"list": {}, "show": {}, "show-backend-health": {}},
+        "nic": {
+            "list": {},
+            "show": {},
+            "list-effective-nsg": {},
+            "show-effective-route-table": {},
+        },
+        "route-table": {"list": {}, "show": {}, "route": {"list": {}, "show": {}}},
+        "dns": {
+            "zone": {"list": {}, "show": {}, "record-set": {"list": {}, "show": {}}}
+        },
+        "traffic-manager": {
+            "profile": {"list": {}, "show": {}, "endpoint": {"list": {}, "show": {}}}
+        },
+    },
+    # Storage commands (read-only)
+    "storage": {
+        "account": {"list": {}, "show": {}, "show-usage": {}, "check-name": {}},
+        "container": {"list": {}, "show": {}, "exists": {}},
+        "blob": {"list": {}, "show": {}, "exists": {}},
+        "share": {"list": {}, "show": {}, "exists": {}},
+        "queue": {"list": {}, "show": {}, "exists": {}},
+        "table": {"list": {}, "show": {}, "exists": {}},
+    },
+    # Azure Kubernetes Service (read-only)
+    "aks": {
+        "list": {},
+        "show": {},
+        "get-versions": {},
+        "get-upgrades": {},
+        "nodepool": {"list": {}, "show": {}},
+        "check-acr": {},
+    },
+    # Monitoring (read-only)
+    "monitor": {
+        "metrics": {
+            "list": {},
+            "list-definitions": {},
+            "list-namespaces": {},
+            "alert": {"list": {}, "show": {}},
+        },
+        "activity-log": {
+            "list": {},
+            "list-categories": {},
+            "alert": {"list": {}, "show": {}},
+        },
+        "log-analytics": {
+            "workspace": {
+                "list": {},
+                "show": {},
+                "get-schema": {},
+            },
+            "query": {},
+        },
+        "diagnostic-settings": {"list": {}, "show": {}},
+        "autoscale": {"list": {}, "show": {}},
+    },
+    # App Service (read-only)
+    "appservice": {"plan": {"list": {}, "show": {}}, "list-locations": {}},
+    "webapp": {"list": {}, "show": {}, "list-runtimes": {}, "config": {"show": {}}},
+    # Key Vault (limited safe operations)
+    "keyvault": {"list": {}, "show": {}, "list-deleted": {}, "check-name": {}},
+    # SQL Database (read-only)
+    "sql": {
+        "server": {"list": {}, "show": {}},
+        "db": {"list": {}, "show": {}, "list-editions": {}, "show-usage": {}},
+        "elastic-pool": {"list": {}, "show": {}},
+    },
+    # CosmosDB (read-only)
+    "cosmosdb": {
+        "list": {},
+        "show": {},
+        "database": {"list": {}, "show": {}},
+        "collection": {"list": {}, "show": {}},
+    },
+    # Container Registry (read-only)
+    "acr": {
+        "list": {},
+        "show": {},
+        "repository": {"list": {}, "show": {}, "show-tags": {}, "show-manifests": {}},
+        "check-name": {},
+        "check-health": {},
+    },
+    # Container Instances (read-only)
+    "container": {"list": {}, "show": {}, "logs": {}},
+    # Batch (read-only)
+    "batch": {
+        "account": {"list": {}, "show": {}},
+        "pool": {"list": {}, "show": {}},
+        "job": {"list": {}, "show": {}},
+        "task": {"list": {}, "show": {}},
+    },
+    # CDN (read-only)
+    "cdn": {"profile": {"list": {}, "show": {}}, "endpoint": {"list": {}, "show": {}}},
+    # Event Hub (read-only)
+    "eventhubs": {
+        "namespace": {"list": {}, "show": {}},
+        "eventhub": {"list": {}, "show": {}},
+    },
+    # Service Bus (read-only)
+    "servicebus": {
+        "namespace": {"list": {}, "show": {}},
+        "queue": {"list": {}, "show": {}},
+        "topic": {"list": {}, "show": {}},
+    },
+    # IoT Hub (read-only)
+    "iot": {"hub": {"list": {}, "show": {}}, "device": {"list": {}, "show": {}}},
+    # Logic Apps (read-only)
+    "logic": {"workflow": {"list": {}, "show": {}}},
+    # Functions (read-only)
+    "functionapp": {"list": {}, "show": {}, "config": {"show": {}}},
+    # Redis Cache (read-only)
+    "redis": {"list": {}, "show": {}},
+    # Search (read-only)
+    "search": {"service": {"list": {}, "show": {}}},
+    # API Management (read-only)
+    "apim": {"list": {}, "show": {}, "api": {"list": {}, "show": {}}},
+    # Help and information
+    "help": {},
+    "version": {},
+    # Completion
+    "completion": {},
+}
+
+# Blocked Azure operations (state-modifying or dangerous)
+DENIED_AZURE_COMMANDS: dict[str, dict] = {
+    # Account and subscription management
+    "account": {
+        "set": {},
+        "clear": {},
+        "get-access-token": {},  # Returns sensitive tokens
+    },
+    # Resource lifecycle operations
+    "group": {"create": {}, "delete": {}, "update": {}},
+    "resource": {
+        "create": {},
+        "delete": {},
+        "update": {},
+        "move": {},
+        "tag": {},
+        "untag": {},
+        "lock": {},
+        "unlock": {},
+    },
+    # VM operations
+    "vm": {
+        "create": {},
+        "delete": {},
+        "start": {},
+        "stop": {},
+        "restart": {},
+        "deallocate": {},
+        "capture": {},
+        "generalize": {},
+        "resize": {},
+        "redeploy": {},
+        "reapply": {},
+        "run-command": {},  # Executes commands on VMs
+        "attach": {},
+        "detach": {},
+    },
+    # Storage operations
+    "storage": {
+        "account": {
+            "create": {},
+            "delete": {},
+            "update": {},
+            "keys": {},
+        },
+        "container": {"create": {}, "delete": {}},
+        "blob": {
+            "upload": {},
+            "download": {},
+            "delete": {},
+            "copy": {},
+            "sync": {},
+            "generate-sas": {},  # Generates access signatures
+        },
+        "share": {"create": {}, "delete": {}},
+        "queue": {"create": {}, "delete": {}},
+        "table": {"create": {}, "delete": {}},
+    },
+    # Network operations
+    "network": {
+        "vnet": {
+            "create": {},
+            "delete": {},
+            "update": {},
+            "subnet": {"create": {}, "delete": {}, "update": {}},
+        },
+        "nsg": {
+            "create": {},
+            "delete": {},
+            "update": {},
+            "rule": {"create": {}, "delete": {}, "update": {}},
+        },
+        "public-ip": {"create": {}, "delete": {}, "update": {}},
+        "lb": {"create": {}, "delete": {}, "update": {}},
+    },
+    # AKS operations
+    "aks": {
+        "create": {},
+        "delete": {},
+        "scale": {},
+        "upgrade": {},
+        "rotate-certs": {},
+        "get-credentials": {},  # Downloads sensitive kubeconfig
+        "install-cli": {},
+        "browse": {},
+        "enable-addons": {},
+        "disable-addons": {},
+        "nodepool": {"add": {}, "delete": {}, "scale": {}, "upgrade": {}},
+    },
+    # Key Vault (sensitive operations)
+    "keyvault": {
+        "create": {},
+        "delete": {},
+        "purge": {},
+        "recover": {},
+        "set-policy": {},
+        "delete-policy": {},
+        "secret": {},  # All secret operations are sensitive
+        "key": {},  # All key operations are sensitive
+        "certificate": {},  # All certificate operations are sensitive
+    },
+    # App Service operations
+    "webapp": {
+        "create": {},
+        "delete": {},
+        "restart": {},
+        "start": {},
+        "stop": {},
+        "deploy": {},
+        "config": {
+            "set": {},
+            "appsettings": {"set": {}, "delete": {}},
+            "connection-string": {"set": {}, "delete": {}},
+        },
+    },
+    "appservice": {"plan": {"create": {}, "delete": {}, "update": {}}},
+    # Database operations
+    "sql": {
+        "server": {"create": {}, "delete": {}, "update": {}},
+        "db": {
+            "create": {},
+            "delete": {},
+            "restore": {},
+            "import": {},
+            "export": {},
+            "failover": {},
+        },
+    },
+    # Authentication and authorization
+    "login": {},
+    "logout": {},
+    "ad": {},  # Active Directory operations can be sensitive
+    "role": {},  # Role assignments modify permissions
+    # Extensions and configuration
+    "extension": {},
+    "configure": {},
+    "feedback": {},
+    "find": {},
+    "upgrade": {},
+    # Deployment and ARM operations
+    "deployment": {},
+    "policy": {},
+    "managedapp": {},
+    "feature": {},
+    "provider": {},
+    "snapshot": {},
+    "image": {},
+    "sig": {},  # Shared Image Gallery operations
+    # Backup and recovery
+    "backup": {},
+    "restore": {},
+    # CDN operations
+    "cdn": {
+        "profile": {"create": {}, "delete": {}},
+        "endpoint": {
+            "create": {},
+            "delete": {},
+            "purge": {},  # Purges CDN content
+        },
+    },
+    # DevOps and CI/CD
+    "devops": {},
+    "repos": {},
+    "artifacts": {},
+    "boards": {},
+    "pipelines": {},
+    # Monitoring operations that expose credentials
+    "monitor": {
+        "log-analytics": {
+            "workspace": {
+                "get-shared-keys": {},  # Exposes sensitive workspace keys
+            },
+        },
+    },
+    # Function App operations
+    "functionapp": {
+        "invoke": {},  # Function invocation
+    },
+    # Batch operations
+    "batch": {
+        "execute": {},  # Command execution
+        "job": {
+            "run": {},  # Running tasks/jobs
+            "submit": {},  # Job submission
+            "cancel": {},  # Canceling operations
+        },
+    },
+}

holmes/plugins/toolsets/bash/bash_instructions.jinja2

@@ -1,14 +1,13 @@
 # Bash commands
 
-The tool `run_bash_command` allows you to run many kubectl commands:
+The tool `run_bash_command` allows you to run the following commands:
+- `kubectl get|describe|logs|top|events [options]`
+- `aws <service> <operation> [options]` (read-only)
+- `az|docker|helm|argocd [options]`
+- `grep|cut|sort|uniq|head|tail|wc|tr|base64|jq|sed [options]`
 
-- `kubectl get ...`
-- `kubectl describe ...`
-- `kubectl events ...`
-- `kubectl top ...`
+Commands can be piped with `|`. No `&&` support.
 
-It is also possible to combine `kubectl` with `grep`. For example:
-- `kubectl get pods | grep holmes`
 
 The tool `kubectl_run_image` will run an image:
 - `kubectl run <name> --image=<image> --rm --attach --restart=Never --i --tty -- <command>`

holmes/plugins/toolsets/bash/bash_toolset.py

@@ -6,7 +6,12 @@ import re
 import string
 from typing import Dict, Any, Optional
 
+import sentry_sdk
 
+
+from holmes.common.env_vars import (
+    BASH_TOOL_UNSAFE_ALLOW_ALL,
+)
 from holmes.core.tools import (
     CallablePrerequisite,
     StructuredToolResult,
@@ -77,7 +82,9 @@ class KubectlRunImageCommand(BaseBashTool):
         command_str = get_param_or_raise(params, "command")
         return f"kubectl run {pod_name} --image={image} --namespace={namespace} --rm --attach --restart=Never -i -- {command_str}"
 
-    def _invoke(self, params: Dict[str, Any]) -> StructuredToolResult:
+    def _invoke(
+        self, params: dict, user_approved: bool = False
+    ) -> StructuredToolResult:
         timeout = params.get("timeout", 60)
 
         image = get_param_or_raise(params, "image")
@@ -92,9 +99,29 @@ class KubectlRunImageCommand(BaseBashTool):
                 params=params,
             )
 
-        validate_image_and_commands(
-            image=image, container_command=command_str, config=self.toolset.config
-        )
+        try:
+            validate_image_and_commands(
+                image=image, container_command=command_str, config=self.toolset.config
+            )
+        except ValueError as e:
+            # Report unsafe kubectl run command attempt to Sentry
+            sentry_sdk.capture_event(
+                {
+                    "message": f"Unsafe kubectl run command attempted: {image}",
+                    "level": "warning",
+                    "extra": {
+                        "image": image,
+                        "command": command_str,
+                        "namespace": namespace,
+                        "error": str(e),
+                    },
+                }
+            )
+            return StructuredToolResult(
+                status=ToolResultStatus.ERROR,
+                error=str(e),
+                params=params,
+            )
 
         pod_name = (
             "holmesgpt-debug-pod-"
@@ -137,7 +164,9 @@ class RunBashCommand(BaseBashTool):
             toolset=toolset,
         )
 
-    def _invoke(self, params: Dict[str, Any]) -> StructuredToolResult:
+    def _invoke(
+        self, params: dict, user_approved: bool = False
+    ) -> StructuredToolResult:
         command_str = params.get("command")
         timeout = params.get("timeout", 60)
 
@@ -154,18 +183,34 @@ class RunBashCommand(BaseBashTool):
                 error=f"The 'command' parameter must be a string, got {type(command_str).__name__}.",
                 params=params,
             )
-        try:
-            safe_command_str = make_command_safe(command_str, self.toolset.config)
-            return execute_bash_command(
-                cmd=safe_command_str, timeout=timeout, params=params
-            )
-        except (argparse.ArgumentError, ValueError) as e:
-            logging.info(f"Refusing LLM tool call {command_str}", exc_info=True)
-            return StructuredToolResult(
-                status=ToolResultStatus.ERROR,
-                error=f"Refusing to execute bash command. Only some commands are supported and this is likely because requested command is unsupported. Error: {str(e)}",
-                params=params,
-            )
+
+        command_to_execute = command_str
+
+        # Only run the safety check if user has NOT approved the command
+        if not user_approved:
+            try:
+                command_to_execute = make_command_safe(command_str, self.toolset.config)
+
+            except (argparse.ArgumentError, ValueError) as e:
+                with sentry_sdk.configure_scope() as scope:
+                    scope.set_extra("command", command_str)
+                    scope.set_extra("error", str(e))
+                    scope.set_extra("unsafe_allow_all", BASH_TOOL_UNSAFE_ALLOW_ALL)
+                    sentry_sdk.capture_exception(e)
+
+                if not BASH_TOOL_UNSAFE_ALLOW_ALL:
+                    logging.info(f"Refusing LLM tool call {command_str}")
+
+                    return StructuredToolResult(
+                        status=ToolResultStatus.APPROVAL_REQUIRED,
+                        error=f"Refusing to execute bash command. {str(e)}",
+                        params=params,
+                        invocation=command_str,
+                    )
+
+        return execute_bash_command(
+            cmd=command_to_execute, timeout=timeout, params=params
+        )
 
     def get_parameterized_one_liner(self, params: Dict[str, Any]) -> str:
         command = params.get("command", "N/A")

holmes/plugins/toolsets/bash/common/bash_command.py

@@ -0,0 +1,131 @@
+from abc import ABC, abstractmethod
+import argparse
+from typing import Any, Optional
+
+from holmes.plugins.toolsets.bash.common.config import BashExecutorConfig
+from holmes.plugins.toolsets.bash.common.stringify import escape_shell_args
+
+
+class BashCommand(ABC):
+    """Abstract base class for bash command implementations."""
+
+    def __init__(self, name: str):
+        super().__init__()
+        self.name = name
+
+    @abstractmethod
+    def add_parser(self, parent_parser: Any):
+        """Return the argument parser for this command."""
+        pass
+
+    @abstractmethod
+    def validate_command(
+        self, command: Any, original_command: str, config: Optional[BashExecutorConfig]
+    ) -> None:
+        """
+        Validate the parsed command to ensure it's safe.
+        Raises ValueError if validation fails.
+        """
+        pass
+
+    @abstractmethod
+    def stringify_command(
+        self, command: Any, original_command: str, config: Optional[BashExecutorConfig]
+    ) -> str:
+        """
+        Convert the parsed command back to a safe command string.
+        """
+        pass
+
+
+class SimpleBashCommand(BashCommand):
+    def __init__(
+        self,
+        name: str,
+        allowed_options: Optional[list[str]] = None,
+        denied_options: Optional[list[str]] = None,
+    ):
+        """
+        A simple bash command that works with a whitelist/blacklist of options
+        If allowed_options is not empty, an option MUST be present in the allowed_options to be allowed
+        If denied_options is not empty, an option MUST NOT be present in the denied_options to be allowed
+        """
+        super().__init__(name)
+        self.allowed_options = allowed_options or []
+        self.denied_options = denied_options or []
+
+    def add_parser(self, parent_parser: Any):
+        parser = parent_parser.add_parser(
+            self.name,
+            exit_on_error=False,
+            add_help=False,  # Disable help to avoid conflicts
+            prefix_chars="\x00",  # Use null character as prefix to disable option parsing
+        )
+
+        parser.add_argument(
+            "options",
+            nargs=argparse.REMAINDER,
+            default=[],
+        )
+        return parser
+
+    def validate_command(self, command, original_command, config):
+        for option in command.options:
+            allowed = False if self.allowed_options else True
+
+            # Check allowed options
+            for allowed_option in self.allowed_options:
+                if option == allowed_option:
+                    allowed = True
+                    break
+
+            # Check denied options
+            denied = False
+            denied_error_message = None
+            for denied_option in self.denied_options:
+                # Check for exact match
+                if option == denied_option:
+                    denied = True
+                    denied_error_message = (
+                        f"Option {option} is not allowed for security reasons"
+                    )
+                    break
+                # Check for long option equals-form variant (--option=value)
+                elif denied_option.startswith("--") and option.startswith(
+                    denied_option + "="
+                ):
+                    denied = True
+                    denied_error_message = (
+                        f"Option {option} is not allowed for security reasons"
+                    )
+                    break
+                # Check for short option with attached value (-Tvalue)
+                elif (
+                    denied_option.startswith("-")
+                    and not denied_option.startswith("--")
+                    and len(denied_option) == 2
+                    and option.startswith(denied_option)
+                    and len(option) > 2
+                ):
+                    denied = True
+                    denied_error_message = (
+                        f"Option {option} is not allowed for security reasons"
+                    )
+                    break
+
+            # Raise errors with appropriate messages
+            if denied:
+                raise ValueError(denied_error_message)
+            elif not allowed:
+                raise ValueError(
+                    f"option {option} is not part of the allowed options: {self.allowed_options}"
+                )
+
+    def stringify_command(
+        self, command: Any, original_command: str, config: Optional[BashExecutorConfig]
+    ) -> str:
+        parts = [self.name]
+
+        parts.extend(command.options)
+
+        return " ".join(escape_shell_args(parts))

holmes/plugins/toolsets/bash/common/stringify.py

@@ -1,12 +1,17 @@
 import shlex
+import re
 
 SAFE_SHELL_CHARS = frozenset(".-_=/,:")
 
+# POSIX character class pattern for tr command
+POSIX_CHAR_CLASS_PATTERN = re.compile(r"^\[:[-\w]+:\]$")
+
 
 def escape_shell_args(args: list[str]) -> list[str]:
     """
     Escape shell arguments to prevent injection.
-    Uses shlex.quote for safe shell argument quoting.
+    Uses manual quoting with single/double quotes as the primary approach,
+    falling back to shlex.quote for complex cases with nested quotes.
     """
     escaped_args = []
 
@@ -18,6 +23,14 @@ def escape_shell_args(args: list[str]) -> list[str]:
         # If argument starts with -- or - (flag), no escaping needed
         elif arg.startswith("-"):
             escaped_args.append(arg)
+        # POSIX character classes for tr command (e.g., [:lower:], [:upper:], [:digit:])
+        elif POSIX_CHAR_CLASS_PATTERN.match(arg):
+            escaped_args.append("'" + arg + "'")
+        # Avoid using shlex in case as it does not handle nested quotes well. e.g. "foo='bar'"
+        elif "'" not in arg:
+            escaped_args.append("'" + arg + "'")
+        elif '"' not in arg:
+            escaped_args.append('"' + arg + '"')
         # For everything else, use shlex.quote for proper escaping
         else:
             escaped_args.append(shlex.quote(arg))