Skip to content

Update list of default allowed commands #7404

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 26, 2025
Merged

Update list of default allowed commands #7404

merged 1 commit into from
Aug 26, 2025

Conversation

@mrubens
Copy link
Collaborator

@mrubens mrubens commented Aug 26, 2025
edited by ellipsis-dev bot
Loading

Thanks @thelicato for flagging that some of these default commands can be unsafe.

Important

Removed unsafe commands from default allowed list and added migration to update existing settings.

  • Behavior:
    • Removed npm test, npm install, and tsc from default allowed commands in package.json.
    • Added migrateDefaultCommands() in migrateSettings.ts to remove these commands from existing settings.
    • Migration is marked complete after execution to prevent re-running.
  • Tests:
    • Added migrateSettings.spec.ts to test migrateDefaultCommands() for various scenarios, including case-insensitive matching and handling of non-array allowedCommands.
  • Misc:
    • Updated docstring in migrateSettings.ts to reflect new migration functionality.

This description was created by Ellipsis for f9c17b3. You can customize this summary. It will automatically update as commits are pushed.

@mrubens mrubens requested review from cte and jr as code owners August 26, 2025 04:34
@dosubot dosubot bot added the size:L This PR changes 100-499 lines, ignoring generated files. label Aug 26, 2025
roomote[bot]
roomote bot reviewed Aug 26, 2025
View reviewed changes
Copy link
Contributor

@roomote roomote bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for this important security fix! The implementation correctly addresses the vulnerability where npm install/test can run malicious postinstall scripts. I've reviewed the changes and have a couple of suggestions for consideration.

src/utils/migrateSettings.ts
outputChannel: vscode.OutputChannel,
): Promise<void> {
// First, migrate commands from old defaults (security fix)
await migrateDefaultCommands(context, outputChannel)
Copy link
Contributor

@roomote roomote bot Aug 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the order intentional here? The function now calls migrateDefaultCommands() first, then handles file migrations. If the migration fails partway through, users might have their commands migrated but not their files. Would it make sense to wrap these in separate try-catch blocks or consider the order of operations?

src/utils/migrateSettings.ts
const originalLength = allowedCommands.length
const filteredCommands = allowedCommands.filter((cmd) => {
const cmdLower = cmd.toLowerCase().trim()
return !oldDefaultCommands.some((oldDefault) => cmdLower === oldDefault.toLowerCase())
Copy link
Contributor

@roomote roomote bot Aug 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great implementation detail! The migration correctly only removes exact matches (e.g., 'npm install') while preserving commands with arguments (e.g., 'npm install express'). This is a thoughtful approach that maintains user flexibility while addressing the security concern.

src/utils/__tests__/migrateSettings.spec.ts
)
})

it("should only remove exact matches, not commands with arguments", async () => {
Copy link
Contributor

@roomote roomote bot Aug 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Excellent test coverage! This test suite thoroughly covers edge cases including case-insensitive matching, commands with arguments, error handling, and the one-time migration flag. The test for ensuring exact matches only (lines 263-294) is particularly important for validating the security fix doesn't over-reach.

@hannesrudolph hannesrudolph added the Issue/PR - Triage New issue. Needs quick review to confirm validity and assign labels. label Aug 26, 2025
@dosubot dosubot bot added the lgtm This PR has been approved by a maintainer label Aug 26, 2025
@mrubens mrubens merged commit 8684877 into main Aug 26, 2025
22 checks passed
@mrubens mrubens deleted the update_default_approved_commands branch August 26, 2025 04:56
@github-project-automation github-project-automation bot moved this from Triage to Done in Roo Code Roadmap Aug 26, 2025
@github-project-automation github-project-automation bot moved this from New to Done in Roo Code Roadmap Aug 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@roomote roomote[bot] roomote[bot] left review comments

@cte cte cte approved these changes

@jr jr Awaiting requested review from jr jr is a code owner

Assignees

No one assigned

Labels

Issue/PR - Triage New issue. Needs quick review to confirm validity and assign labels. lgtm This PR has been approved by a maintainer size:L This PR changes 100-499 lines, ignoring generated files.

Projects

Roo Code Roadmap
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mrubens @cte @hannesrudolph