diff options
| author | Dax Raad <[email protected]> | 2025-10-06 23:24:07 -0400 |
|---|---|---|
| committer | Dax Raad <[email protected]> | 2025-10-06 23:24:18 -0400 |
| commit | 2bf0e42367a0912d876bd37cfb29ae5a1718dc63 (patch) | |
| tree | 443acfcb773a36ad3174fd7ce8d19b069e76741d | |
| parent | 10998d62b9f0964926d4da967a21889eefe82a87 (diff) | |
| download | opencode-2bf0e42367a0912d876bd37cfb29ae5a1718dc63.tar.gz opencode-2bf0e42367a0912d876bd37cfb29ae5a1718dc63.zip | |
core: restore bash command security validation to prevent accidental directory traversal
The permission validation that prevents commands from accessing paths outside the project directory was accidentally disabled, which could allow commands like 'cd ../' to escape the workspace. This restores the security check that keeps your commands safely contained within your project boundaries.
| -rw-r--r-- | packages/opencode/src/tool/bash.ts | 22 | ||||
| -rw-r--r-- | packages/opencode/src/tool/test.ts | 4 |
2 files changed, 12 insertions, 14 deletions
diff --git a/packages/opencode/src/tool/bash.ts b/packages/opencode/src/tool/bash.ts index 1946ada1f..0e1d37ecf 100644 --- a/packages/opencode/src/tool/bash.ts +++ b/packages/opencode/src/tool/bash.ts @@ -3,17 +3,22 @@ import { exec } from "child_process" import { Tool } from "./tool" import DESCRIPTION from "./bash.txt" +import { Permission } from "../permission" +import { Filesystem } from "../util/filesystem" import { lazy } from "../util/lazy" import { Log } from "../util/log" +import { Wildcard } from "../util/wildcard" +import { $ } from "bun" import { Instance } from "../project/instance" +import { Agent } from "../agent/agent" const MAX_OUTPUT_LENGTH = 30_000 const DEFAULT_TIMEOUT = 1 * 60 * 1000 const MAX_TIMEOUT = 10 * 60 * 1000 -export const log = Log.create({ service: "bash-tool" }) +const log = Log.create({ service: "bash-tool" }) -export const parser = lazy(async () => { +const parser = lazy(async () => { try { const { default: Parser } = await import("tree-sitter") const Bash = await import("tree-sitter-bash") @@ -21,10 +26,8 @@ export const parser = lazy(async () => { p.setLanguage(Bash.language as any) return p } catch (e) { - const { Parser, Language } = await import("web-tree-sitter") - const { default: treeWasm } = await import("web-tree-sitter/web-tree-sitter.wasm" as string, { - with: { type: "wasm" }, - }) + const { default: Parser } = await import("web-tree-sitter") + const { default: treeWasm } = await import("web-tree-sitter/tree-sitter.wasm" as string, { with: { type: "wasm" } }) await Parser.init({ locateFile() { return treeWasm @@ -33,7 +36,7 @@ export const parser = lazy(async () => { const { default: bashWasm } = await import("tree-sitter-bash/tree-sitter-bash.wasm" as string, { with: { type: "wasm" }, }) - const bashLanguage = await Language.load(bashWasm) + const bashLanguage = await Parser.Language.load(bashWasm) const p = new Parser() p.setLanguage(bashLanguage) return p @@ -53,11 +56,7 @@ export const BashTool = Tool.define("bash", { }), async execute(params, ctx) { const timeout = Math.min(params.timeout ?? DEFAULT_TIMEOUT, MAX_TIMEOUT) - /* const tree = await parser().then((p) => p.parse(params.command)) - if (!tree) { - throw new Error("Failed to parse command") - } const permissions = await Agent.get(ctx.agent).then((x) => x.permission.bash) const askPatterns = new Set<string>() @@ -146,7 +145,6 @@ export const BashTool = Tool.define("bash", { }, }) } - */ const process = exec(params.command, { cwd: Instance.directory, diff --git a/packages/opencode/src/tool/test.ts b/packages/opencode/src/tool/test.ts index 14427c73c..81428ba96 100644 --- a/packages/opencode/src/tool/test.ts +++ b/packages/opencode/src/tool/test.ts @@ -6,7 +6,7 @@ const parser = async () => { p.setLanguage(Bash.language as any) return p } catch (e) { - const { Parser, Language } = await import("web-tree-sitter") + const { default: Parser } = await import("web-tree-sitter") const { default: treeWasm } = await import("web-tree-sitter/web-tree-sitter.wasm" as string, { with: { type: "wasm" }, }) @@ -18,7 +18,7 @@ const parser = async () => { const { default: bashWasm } = await import("tree-sitter-bash/tree-sitter-bash.wasm" as string, { with: { type: "wasm" }, }) - const bashLanguage = await Language.load(bashWasm) + const bashLanguage = await Parser.Language.load(bashWasm) const p = new Parser() p.setLanguage(bashLanguage) return p |
