Skip to content

fix: prevent bypassing .rooignore restrictions via terminal commands #7215

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

fix: prevent bypassing .rooignore restrictions via terminal commands #7215

wants to merge 1 commit into from

Conversation

@roomote
Copy link
Contributor

@roomote roomote bot commented Aug 19, 2025
edited by ellipsis-dev bot
Loading

Summary

This PR addresses issue #7204 by adding explicit warnings to prevent models from attempting to bypass .rooignore restrictions using terminal commands.

Problem

When files are blocked by .rooignore, the model would sometimes try to work around the restriction by using terminal commands like cat, head, or tail to read the file contents, which violates the user's explicit access restrictions.

Solution

Added clear instructions in two places:

  1. Error messages: When a file access is blocked, the error message now explicitly warns against using terminal commands to bypass the restriction
  2. System prompt: The .rooignore instructions shown to the model now include a warning not to attempt bypassing restrictions

Changes

  • Updated rooIgnoreError message in src/core/prompts/responses.ts to include warning about terminal command bypass
  • Updated .rooignore instructions in src/core/ignore/RooIgnoreController.ts to include the same warning
  • Updated tests to verify the new warning messages are included

Testing

  • All existing tests pass
  • Updated tests verify the new warning messages are present in both error responses and system prompt instructions

Fixes #7204

cc @daniel-lxs

Important

Adds warnings in error messages and system prompts to prevent bypassing .rooignore restrictions using terminal commands.

  • Behavior:
    • Updates rooIgnoreError in responses.ts to warn against using terminal commands to bypass .rooignore restrictions.
    • Updates .rooignore instructions in RooIgnoreController.ts to include the same warning.
  • Testing:
    • Updates tests in RooIgnoreController.spec.ts and responses-rooignore.spec.ts to verify new warning messages.
    • Ensures tests in readFileTool.spec.ts reflect changes in error message format.

This description was created by Ellipsis for a1173b9. You can customize this summary. It will automatically update as commits are pushed.

@roomote
fix: prevent bypassing .rooignore restrictions via terminal commands
a1173b9 
- Updated error message when files are blocked by .rooignore to explicitly warn against using terminal commands to bypass restrictions
- Added clear instructions in .rooignore system prompt to not attempt bypassing restrictions
- Updated tests to verify the new warning messages are included

Fixes #7204
@roomote roomote bot requested review from cte, jr and mrubens as code owners August 19, 2025 14:05
@dosubot dosubot bot added size:S This PR changes 10-29 lines, ignoring generated files. bug Something isn't working documentation Improvements or additions to documentation labels Aug 19, 2025
@mrubens
Copy link
Collaborator

mrubens commented Aug 19, 2025

Separate from the prompting change, there is code to try to block fileReadingCommands - is that not working correctly?

roomote[bot]
roomote bot commented Aug 19, 2025
View reviewed changes
Copy link
Contributor Author

@roomote roomote bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewing my own code is like grading my own homework - suspicious but necessary.

src/core/ignore/RooIgnoreController.ts
}

return `# .rooignore\n\n(The following is provided by a root-level .rooignore file where the user has specified files and directories that should not be accessed. When using list_files, you'll notice a ${LOCK_TEXT_SYMBOL} next to files that are blocked. Attempting to access the file's contents e.g. through read_file will result in an error.)\n\n${this.rooIgnoreContent}\n.rooignore`
return `# .rooignore\n\n(The following is provided by a root-level .rooignore file where the user has specified files and directories that should not be accessed. When using list_files, you'll notice a ${LOCK_TEXT_SYMBOL} next to files that are blocked. Attempting to access the file's contents e.g. through read_file will result in an error. IMPORTANT: Do NOT attempt to bypass these restrictions by using terminal commands to read the file contents - this violates the user's explicit access restrictions.)\n\n${this.rooIgnoreContent}\n.rooignore`
Copy link
Contributor Author

@roomote roomote bot Aug 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The warning message works well, but I'm wondering if we should also enhance the validateCommand method (lines 111-160) to actively block terminal commands that attempt to read ignored files? Currently it returns the blocked file path but doesn't seem to be actively used to prevent command execution. Could this be a follow-up enhancement to make the restriction enforcement more robust?

src/core/prompts/responses.ts

rooIgnoreError: (path: string) =>
`Access to ${path} is blocked by the .rooignore file settings. You must try to continue in the task without using this file, or ask the user to update the .rooignore file.`,
`Access to ${path} is blocked by the .rooignore file settings. You must try to continue in the task without using this file, or ask the user to update the .rooignore file. IMPORTANT: Do NOT attempt to bypass this restriction by using terminal commands (like cat, head, tail, etc.) to read the file contents - this violates the user's explicit access restrictions.`,
Copy link
Contributor Author

@roomote roomote bot Aug 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The warning message is quite verbose. Would it be clearer if we made it more concise? Something like: "IMPORTANT: Terminal commands must not be used to bypass .rooignore restrictions." Just a thought - the current version is certainly explicit about what not to do.

@roomote roomote bot mentioned this pull request Aug 19, 2025
Closed
@daniel-lxs
Copy link
Member

daniel-lxs commented Aug 19, 2025

@mrubens I'll run some tests

@daniel-lxs daniel-lxs moved this from Triage to PR [Needs Prelim Review] in Roo Code Roadmap Aug 19, 2025
@daniel-lxs
Copy link
Member

daniel-lxs commented Aug 26, 2025

Closing this PR. The existing code in already blocks terminal commands from accessing .rooignore-protected files. This is properly integrated in at line 46. The additional warning messages in this PR are redundant since the blocking mechanism is working correctly.

@daniel-lxs daniel-lxs closed this Aug 26, 2025
@github-project-automation github-project-automation bot moved this from New to Done in Roo Code Roadmap Aug 26, 2025
@github-project-automation github-project-automation bot moved this from PR [Needs Prelim Review] to Done in Roo Code Roadmap Aug 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrubens mrubens Awaiting requested review from mrubens mrubens is a code owner

@cte cte Awaiting requested review from cte cte is a code owner

@jr jr Awaiting requested review from jr jr is a code owner

Assignees

No one assigned

Labels

bug Something isn't working documentation Improvements or additions to documentation PR - Needs Preliminary Review size:S This PR changes 10-29 lines, ignoring generated files.

Projects

Roo Code Roadmap
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Roo works around .rooignore restrictions by using terminal commands

5 participants

@mrubens @daniel-lxs @hannesrudolph @roomote