valknar/llmx
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): Shell commands auto-executing in 'suggest' mode without permission (#197)

Browse Source 
## Problem

There's a security vulnerability in the current implementation where
shell commands are being executed without requesting user permission
even when in 'suggest' mode. According to our documentation:

> In **Suggest** mode (default): All file writes/patches and **ALL
shell/Bash commands** should require approval.

However, the current implementation in `approvals.ts` was auto-approving
commands deemed "safe" by the `isSafeCommand` function, bypassing the
user permission requirement. This is a security risk as users expect all
shell commands to require explicit approval in 'suggest' mode.

## Solution

This PR fixes the issue by modifying the `canAutoApprove` function in
`approvals.ts` to respect the 'suggest' mode policy for all shell
commands:

1. Added an early check at the beginning of `canAutoApprove` to
immediately return `{ type: "ask-user" }` when the policy is `suggest`,
regardless of whether the command is considered "safe" or not.

2. Added a similar check in the bash command handling section to ensure
bash commands also respect the 'suggest' mode.

3. Updated tests to verify the new behavior, ensuring that all shell
commands require approval in 'suggest' mode, while still being
auto-approved in 'auto-edit' and 'full-auto' modes when appropriate.

## Testing

All tests pass, confirming that the fix works as expected. The updated
tests verify that:
- All commands (even "safe" ones) require approval in 'suggest' mode
- Safe commands are still auto-approved in 'auto-edit' mode
- Bash commands with redirects still require approval in all modes

This change ensures that the behavior matches what's documented and what
users expect, improving security by requiring explicit permission for
all shell commands in the default 'suggest' mode.
This commit is contained in:
Brayden Moon
2025-04-18 00:15:02 +10:00
committed by GitHub
parent af69e793e7
commit b62ef70d2a
2 changed files with 83 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
codex-cli/src/approvals.ts
View File

@@ -84,6 +84,11 @@ export function canAutoApprove(
};
}
// In 'suggest' mode, all shell commands should require user permission
if (policy === "suggest") {
return { type: "ask-user" };
}
const isSafe = isSafeCommand(command);
if (isSafe != null) {
const { reason, group } = isSafe;
@@ -112,23 +117,23 @@ export function canAutoApprove(
} catch (e) {
// In practice, there seem to be syntactically valid shell commands that
// shell-quote cannot parse, so we should not reject, but ask the user.
switch (policy) {
case "full-auto":
// In full-auto, we still run the command automatically, but must
// restrict it to the sandbox.
return {
type: "auto-approve",
reason: "Full auto mode",
group: "Running commands",
runInSandbox: true,
};
case "suggest":
case "auto-edit":
// In all other modes, since we cannot reason about the command, we
// should ask the user.
return {
type: "ask-user",
};
// We already checked for 'suggest' mode at the beginning of the function,
// so at this point we know policy is either 'auto-edit' or 'full-auto'
if (policy === "full-auto") {
// In full-auto, we still run the command automatically, but must
// restrict it to the sandbox.
return {
type: "auto-approve",
reason: "Full auto mode",
group: "Running commands",
runInSandbox: true,
};
} else {
// In auto-edit mode, since we cannot reason about the command, we
// should ask the user.
return {
type: "ask-user",
};
}
}
@@ -138,6 +143,9 @@ export function canAutoApprove(
// all operators belong to an allowlist. If so, the entire expression is
// considered autoapprovable.
// We already checked for 'suggest' mode at the beginning of the function,
// so at this point we know policy is either 'auto-edit' or 'full-auto'
const shellSafe = isEntireShellExpressionSafe(bashCmd);
if (shellSafe != null) {
const { reason, group } = shellSafe;