core: add potentially dangerous command check (#4211)

Certain shell commands are potentially dangerous, and we want to check for them. Unless the user has explicitly approved a command, we will *always* ask them for approval when one of these commands is encountered, regardless of whether they are in a sandbox, or what their approval policy is. The first (of probably many) such examples is `git reset --hard`. We will be conservative and check for any `git reset`
2025-09-25 19:46:20 -07:00
parent a10403d697
commit eb2b739d6a
5 changed files with 172 additions and 8 deletions
--- a/codex-rs/core/src/bash.rs
+++ b/codex-rs/core/src/bash.rs
@@ -88,6 +88,21 @@ pub fn try_parse_word_only_commands_sequence(tree: &Tree, src: &str) -> Option<V
    Some(commands)
 }

+/// Returns the sequence of plain commands within a `bash -lc "..."` invocation
+/// when the script only contains word-only commands joined by safe operators.
+pub fn parse_bash_lc_plain_commands(command: &[String]) -> Option<Vec<Vec<String>>> {
+    let [bash, flag, script] = command else {
+        return None;
+    };
+
+    if bash != "bash" || flag != "-lc" {
+        return None;
+    }
+
+    let tree = try_parse_bash(script)?;
+    try_parse_word_only_commands_sequence(&tree, script)
+}
+
 fn parse_plain_command_from_node(cmd: tree_sitter::Node, src: &str) -> Option<Vec<String>> {
    if cmd.kind() != "command" {
        return None;