ph/agentic
1
0
Fork 0
Code Issues 7 Pull requests Projects Releases Packages Wiki Activity Actions

feat(permissions): implement preset-based permission system with bash defense #76

Merged
ph merged 2 commits from feat/permissions into master 2026-06-12 10:33:38 +00:00
Conversation 0 Commits 2 Files changed 28 +2939 -43
ph commented 2026-06-12 10:20:22 +00:00
Owner
Copy link

概述

实现了一个基于 Preset 的权限系统,每个工具在执行前自行检查权限。

核心设计

权限检查在工具内部:bash/write/edit/read 各自调用 permissions.FromContext(ctx) 检查权限。

Preset 套装:定义三种权限配置,直接决定每个工具的行为:

Preset read write/edit bash
safe allow (anywhere) ask ask
project allow (anywhere) allow (project内) allow + rm/sudo 需审批
full allow (anywhere) allow (project内) allow + sudo 拒绝

Bash 三层防御

  1. 静态分析 — 检测路径穿越、子shell、管道到shell、解释器执行、命令替换
  2. 范围检查 — 提取所有路径,检查是否在项目目录内
  3. 审批流程 — rm/curl/wget 等高风险命令需要用户确认

安全特性

  • Symlink 防护:filepath.EvalSymlinks 防止 ln -s 绕过
  • Shell builtins 拦截:eval、exec、source 被加入 deny 列表
  • 词边界匹配:sudo 匹配 sudo apt install 但不匹配 mkdir sudo_a
  • 命令包装:强制 cd 项目目录,清除 LD_PRELOAD、BASH_ENV

新增文件

  • internal/permissions/ — 核心权限包(types, permissions, bash_analyzer, bash_wrapper, approval, tests)
  • web/src/store/approval.ts — 审批状态管理
  • web/src/components/ApprovalDialog.tsx — 审批弹窗

API 端点

  • POST /api/sessions/:id/approve — 处理审批响应(approve/approve_always/deny)
  • GET /api/sessions/:id/pending — 列出待审批请求

配置

[permissions]
preset = "project"  # safe | project | full

测试覆盖

  • 模式匹配(精确、前缀、glob、词边界)
  • 路径范围检查(相对路径、绝对路径、symlink)
  • Bash 静态分析(穿越、子shell、管道、解释器、命令替换)
  • Preset 行为验证
  • 工具集成(bash/write/edit/read)

Closes #43

## 概述 实现了一个基于 Preset 的权限系统,每个工具在执行前自行检查权限。 ## 核心设计 **权限检查在工具内部**:bash/write/edit/read 各自调用 permissions.FromContext(ctx) 检查权限。 **Preset 套装**:定义三种权限配置,直接决定每个工具的行为: | Preset | read | write/edit | bash | |--------|------|------------|------| | safe | allow (anywhere) | ask | ask | | project | allow (anywhere) | allow (project内) | allow + rm/sudo 需审批 | | full | allow (anywhere) | allow (project内) | allow + sudo 拒绝 | **Bash 三层防御**: 1. 静态分析 — 检测路径穿越、子shell、管道到shell、解释器执行、命令替换 2. 范围检查 — 提取所有路径,检查是否在项目目录内 3. 审批流程 — rm/curl/wget 等高风险命令需要用户确认 ## 安全特性 - **Symlink 防护**:filepath.EvalSymlinks 防止 ln -s 绕过 - **Shell builtins 拦截**:eval、exec、source 被加入 deny 列表 - **词边界匹配**:sudo 匹配 sudo apt install 但不匹配 mkdir sudo_a - **命令包装**:强制 cd 项目目录,清除 LD_PRELOAD、BASH_ENV ## 新增文件 - internal/permissions/ — 核心权限包(types, permissions, bash_analyzer, bash_wrapper, approval, tests) - web/src/store/approval.ts — 审批状态管理 - web/src/components/ApprovalDialog.tsx — 审批弹窗 ## API 端点 - POST /api/sessions/:id/approve — 处理审批响应(approve/approve_always/deny) - GET /api/sessions/:id/pending — 列出待审批请求 ## 配置 ```toml [permissions] preset = "project" # safe | project | full ``` ## 测试覆盖 - 模式匹配(精确、前缀、glob、词边界) - 路径范围检查(相对路径、绝对路径、symlink) - Bash 静态分析(穿越、子shell、管道、解释器、命令替换) - Preset 行为验证 - 工具集成(bash/write/edit/read) Closes #43
Implements a comprehensive permission system to intercept and control agent
tool execution, addressing security concerns with autonomous AI agents.

## Core Features

- **Permission Modes**: ask (approve all writes), auto (approve high-risk only), yolo (allow all)
- **Presets**: safe, project, full - predefined permission configurations
- **Bash Static Analysis**: Detects path traversal, subshell injection, pipe-to-shell,
  interpreter execution, command substitution
- **Bash Command Wrapper**: Forces execution within project directory, clears dangerous
  environment variables (LD_PRELOAD, BASH_ENV, CDPATH)
- **Scope Checking**: Restricts file operations to project directory (with symlink resolution)
- **Approval Flow**: SSE-based approval requests with frontend dialog

## Tool Integration

- bash: Three-layer defense (static analysis → scope check → approval)
- write/edit: Path scope checking with approval for out-of-scope operations
- read: Scope checking in safe mode

## Security Fixes (from code review)

- Symlink bypass prevention via filepath.EvalSymlinks
- Shell builtins blocked (eval, exec, source, .)
- Command substitution detection ( and backticks)
- Curl/Wget pipe-to-shell detection
- Word-boundary matching to prevent false positives

## API Endpoints

- POST /api/sessions/:id/approve - Handle approval responses
- GET /api/sessions/:id/pending - List pending approvals
- POST /api/sessions/:id/mode - Change permission mode

## Configuration

## Testing

- Pattern matching tests (exact, prefix, glob, word boundary)
- Path scope checking tests
- Bash analysis tests (traversal, subshell, pipe, interpreter)
- Permission mode behavior tests
- Preset validation tests
ph changed title from feat(permissions): implement multi-level permission system to feat(permissions): implement tool-level permission system with bash defense 2026-06-12 10:24:43 +00:00 
Simplify permission system by removing the Mode (ask/auto/yolo) concept.
Now permissions are determined solely by the Preset configuration.

- Remove PermissionMode type and related code
- Remove /api/sessions/:id/mode endpoint
- Update tools to use preset rules directly
- Update tests to reflect new behavior
ph changed title from feat(permissions): implement tool-level permission system with bash defense to feat(permissions): implement preset-based permission system with bash defense 2026-06-12 10:31:03 +00:00
ph merged commit 744203f4b5 into master 2026-06-12 10:33:38 +00:00
ph deleted branch feat/permissions 2026-06-12 10:33:39 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
ph/agentic!76
No description provided.