harald/zeroclaw
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 3

feat(security): support wildcard "*" in allowed_commands

Browse source 
Allow `allowed_commands = ["*"]` to bypass the command allowlist check.
Hardcoded safety blocks (subshell operators, redirections, tee,
background &) still apply regardless of wildcard.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
harald 2026-02-25 12:21:04 +01:00
parent a7590f9fdc
commit 05e1102af9
1 changed files with 21 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

25
src/security/policy.rs
View file

@ -414,10 +414,12 @@ impl SecurityPolicy {
continue; continue;
} }
if !self let allow_all = self.allowed_commands.iter().any(|c| c == "*");
.allowed_commands if !allow_all
.iter() && !self
.any(|allowed| allowed == base_cmd) .allowed_commands
.iter()
.any(|allowed| allowed == base_cmd)
{ {
return false; return false;
} }
@ -702,6 +704,21 @@ mod tests {
assert!(!p.is_command_allowed("node malicious.js")); assert!(!p.is_command_allowed("node malicious.js"));
} }
#[test]
fn wildcard_allowed_commands_permits_any_binary() {
let p = SecurityPolicy {
allowed_commands: vec!["*".into()],
..SecurityPolicy::default()
};
assert!(p.is_command_allowed("curl http://example.com"));
assert!(p.is_command_allowed("wget http://example.com"));
assert!(p.is_command_allowed("python3 script.py"));
assert!(p.is_command_allowed("node app.js"));
// Subshell/redirect blocks still apply
assert!(!p.is_command_allowed("echo $(rm -rf /)"));
assert!(!p.is_command_allowed("echo hello > /etc/passwd"));
}
#[test] #[test]
fn readonly_blocks_all_commands() { fn readonly_blocks_all_commands() {
let p = readonly_policy(); let p = readonly_policy();