harald/zeroclaw
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 3

docs(security): document single-ampersand blocking in command policy

Browse source
This commit is contained in:
Lawyered 2026-02-16 22:35:01 -05:00 committed by Will Sarg
parent e8088f624e
commit 8cf6c89ebc
1 changed files with 1 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
src/security/policy.rs
View file

@ -341,6 +341,7 @@ impl SecurityPolicy {
/// - Blocks subshell operators (`` ` ``, `$(`) that hide arbitrary execution /// - Blocks subshell operators (`` ` ``, `$(`) that hide arbitrary execution
/// - Splits on command separators (`|`, `&&`, `||`, `;`, newlines) and /// - Splits on command separators (`|`, `&&`, `||`, `;`, newlines) and
/// validates each sub-command against the allowlist /// validates each sub-command against the allowlist
/// - Blocks single `&` background chaining (`&&` remains supported)
/// - Blocks output redirections (`>`, `>>`) that could write outside workspace /// - Blocks output redirections (`>`, `>>`) that could write outside workspace
pub fn is_command_allowed(&self, command: &str) -> bool { pub fn is_command_allowed(&self, command: &str) -> bool {
if self.autonomy == AutonomyLevel::ReadOnly { if self.autonomy == AutonomyLevel::ReadOnly {