harald/zeroclaw
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 3

feat(security): support wildcard "*" in allowed_commands

Browse source 
Allow `allowed_commands = ["*"]` to bypass the command allowlist check.
Hardcoded safety blocks (subshell operators, redirections, tee,
background &) still apply regardless of wildcard.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
harald 2026-02-25 12:21:04 +01:00
parent a7590f9fdc
commit 05e1102af9
1 changed files with 21 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

19
src/security/policy.rs
View file

@ -414,7 +414,9 @@ impl SecurityPolicy {
continue;
}
if !self
let allow_all = self.allowed_commands.iter().any(|c| c == "*");
if !allow_all
&& !self
.allowed_commands
.iter()
.any(|allowed| allowed == base_cmd)
@ -702,6 +704,21 @@ mod tests {
assert!(!p.is_command_allowed("node malicious.js"));
}
#[test]
fn wildcard_allowed_commands_permits_any_binary() {
let p = SecurityPolicy {
allowed_commands: vec!["*".into()],
..SecurityPolicy::default()
};
assert!(p.is_command_allowed("curl http://example.com"));
assert!(p.is_command_allowed("wget http://example.com"));
assert!(p.is_command_allowed("python3 script.py"));
assert!(p.is_command_allowed("node app.js"));
// Subshell/redirect blocks still apply
assert!(!p.is_command_allowed("echo $(rm -rf /)"));
assert!(!p.is_command_allowed("echo hello > /etc/passwd"));
}
#[test]
fn readonly_blocks_all_commands() {
let p = readonly_policy();