feat(security): support wildcard "*" in allowed_commands

Allow `allowed_commands = ["*"]` to bypass the command allowlist check. Hardcoded safety blocks (subshell operators, redirections, tee, background &) still apply regardless of wildcard. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-25 12:21:04 +01:00 · 2026-02-25 12:21:04 +01:00 · 05e1102af9
commit 05e1102af9
parent a7590f9fdc
1 changed files with 21 additions and 4 deletions
--- a/src/security/policy.rs
+++ b/src/security/policy.rs
@ -414,10 +414,12 @@ impl SecurityPolicy {
                continue;
            }

-            if !self
-                .allowed_commands
-                .iter()
-                .any(|allowed| allowed == base_cmd)
+            let allow_all = self.allowed_commands.iter().any(|c| c == "*");
+            if !allow_all
+                && !self
+                    .allowed_commands
+                    .iter()
+                    .any(|allowed| allowed == base_cmd)
            {
                return false;
            }
@ -702,6 +704,21 @@ mod tests {
        assert!(!p.is_command_allowed("node malicious.js"));
    }

+    #[test]
+    fn wildcard_allowed_commands_permits_any_binary() {
+        let p = SecurityPolicy {
+            allowed_commands: vec!["*".into()],
+            ..SecurityPolicy::default()
+        };
+        assert!(p.is_command_allowed("curl http://example.com"));
+        assert!(p.is_command_allowed("wget http://example.com"));
+        assert!(p.is_command_allowed("python3 script.py"));
+        assert!(p.is_command_allowed("node app.js"));
+        // Subshell/redirect blocks still apply
+        assert!(!p.is_command_allowed("echo $(rm -rf /)"));
+        assert!(!p.is_command_allowed("echo hello > /etc/passwd"));
+    }
+
    #[test]
    fn readonly_blocks_all_commands() {
        let p = readonly_policy();