fix: tool repeated invocation

Zerofisher · Zerofisher · commit cd9d81e3953c · 2025-10-27T22:17:51.000+08:00
diff --git a/pkg/llm/openai/converter.go b/pkg/llm/openai/converter.go
@@ -63,10 +63,45 @@ func convertMessages(messages []types.Message) []openaisdk.ChatCompletionMessage
 		case "assistant":
 			toolUses := msg.GetToolUses()
 			if len(toolUses) > 0 {
-				// Assistant message with tool calls - need to use ToParam from actual message
-				// For now, just send text content
+				// Assistant message with tool calls
+				assistantMsg := openaisdk.ChatCompletionAssistantMessageParam{
+					Role: "assistant",
+				}
+
+				// Add text content if present
 				text := msg.GetText()
-				result = append(result, openaisdk.AssistantMessage(text))
+				if text != "" {
+					assistantMsg.Content = openaisdk.ChatCompletionAssistantMessageParamContentUnion{
+						OfString: openaisdk.String(text),
+					}
+				}
+
+				// Convert tool uses to OpenAI format
+				toolCalls := make([]openaisdk.ChatCompletionMessageToolCallUnionParam, 0, len(toolUses))
+				for _, tu := range toolUses {
+					// Convert input map to JSON string
+					argsJSON, err := json.Marshal(tu.Input)
+					if err != nil {
+						// If marshal fails, use an error object
+						argsJSON = []byte(fmt.Sprintf(`{"error": "failed to marshal input: %v"}`, err))
+					}
+
+					toolCall := openaisdk.ChatCompletionMessageToolCallUnionParam{
+						OfFunction: &openaisdk.ChatCompletionMessageFunctionToolCallParam{
+							ID: tu.ID,
+							Function: openaisdk.ChatCompletionMessageFunctionToolCallFunctionParam{
+								Name:      tu.Name,
+								Arguments: string(argsJSON),
+							},
+						},
+					}
+					toolCalls = append(toolCalls, toolCall)
+				}
+				assistantMsg.ToolCalls = toolCalls
+
+				result = append(result, openaisdk.ChatCompletionMessageParamUnion{
+					OfAssistant: &assistantMsg,
+				})
 			} else {
 				text := msg.GetText()
 				result = append(result, openaisdk.AssistantMessage(text))
diff --git a/pkg/tools/security.go b/pkg/tools/security.go
@@ -226,9 +226,10 @@ func (v *DefaultSecurityValidator) CheckPermission(tool string, input map[string
 	// Tool-specific permission checks
 	switch tool {
 	case "bash", "shell", "execute":
-		if cmd, ok := input["command"].(string); ok {
-			return v.ValidateCommand(cmd)
-		}
+		// Bash tool has its own comprehensive validator in pkg/tools/bash/validator.go
+		// that handles command validation with more nuanced rules (e.g., allows limited
+		// command chaining). We skip validation here to avoid duplicate/conflicting checks.
+		return nil
 
 	case "file_read", "file_write", "edit":
 		if path, ok := input["path"].(string); ok {
@@ -258,31 +259,44 @@ func (v *DefaultSecurityValidator) CheckPermission(tool string, input map[string
 func containsShellInjection(cmd string) bool {
 	// Check for common injection patterns
 	injectionPatterns := []string{
-		"$(",      // Command substitution
-		"`",       // Backticks for command substitution
-		"&&",      // Command chaining
-		"||",      // Command chaining
-		";",       // Command separator
-		"|",       // Pipe (could be dangerous)
-		"$(IFS",   // IFS manipulation
-		"${IFS",   // IFS manipulation
-		"\n",      // Newline injection
-		"\r",      // Carriage return injection
+		"$(",    // Command substitution
+		"`",     // Backticks for command substitution
+		"$(IFS", // IFS manipulation
+		"${IFS", // IFS manipulation
+		"\r",    // Carriage return injection
 	}
 
 	for _, pattern := range injectionPatterns {
 		if strings.Contains(cmd, pattern) {
-			// Allow some safe patterns
-			if pattern == "|" {
-				// Allow simple pipes like "ls | grep"
-				if !strings.Contains(cmd, "||") && !strings.Contains(cmd, "|&") {
-					continue
-				}
-			}
 			return true
 		}
 	}
 
+	// Check for dangerous command chaining with newlines
+	// Allow \n in quoted strings or heredocs, but not for command injection
+	if strings.Contains(cmd, "\n") {
+		// Simple heuristic: if there are multiple command-like structures, it's suspicious
+		lines := strings.Split(cmd, "\n")
+		if len(lines) > 1 {
+			// Allow heredocs (cat << EOF)
+			if !strings.Contains(cmd, "<<") && !strings.Contains(cmd, "EOF") {
+				return true
+			}
+		}
+	}
+
+	// Check for command chaining and separators (security risk)
+	// Block && (and), || (or), and ; (separator) to prevent command injection
+	if strings.Contains(cmd, "&&") {
+		return true
+	}
+	if strings.Contains(cmd, "||") {
+		return true
+	}
+	if strings.Contains(cmd, ";") {
+		return true
+	}
+
 	return false
 }
 
diff --git a/pkg/tools/security_test.go b/pkg/tools/security_test.go
@@ -229,20 +229,20 @@ func TestDefaultSecurityValidator_CheckPermission(t *testing.T) {
 		wantErr bool
 	}{
 		{
-			name: "bash with valid command",
+			name: "bash with valid command - delegated to bash tool validator",
 			tool: "bash",
 			input: map[string]interface{}{
 				"command": "ls -la",
 			},
 			wantErr: false,
 		},
 		{
-			name: "bash with forbidden command",
+			name: "bash with any command - delegated to bash tool validator",
 			tool: "bash",
 			input: map[string]interface{}{
 				"command": "rm -rf /",
 			},
-			wantErr: true,
+			wantErr: false, // Changed: CheckPermission now delegates to bash tool's own validator
 		},
 		{
 			name: "file_read with valid path",
diff --git a/pkg/types/message.go b/pkg/types/message.go
@@ -48,7 +48,7 @@ func NewToolUseMessage(toolUse *ToolUse) Message {
 // NewToolResultMessage creates a new message with tool result content
 func NewToolResultMessage(toolResult *ToolResult) Message {
 	return Message{
-		Role: "user",
+		Role: "tool",
 		Content: []Content{
 			{
 				Type:       "tool_result",
@@ -101,7 +101,7 @@ func (m *Message) Validate() error {
 		return fmt.Errorf("message role cannot be empty")
 	}
 
-	if m.Role != "user" && m.Role != "assistant" && m.Role != "system" {
+	if m.Role != "user" && m.Role != "assistant" && m.Role != "system" && m.Role != "tool" {
 		return fmt.Errorf("invalid message role: %s", m.Role)
 	}
 
diff --git a/pkg/types/message_test.go b/pkg/types/message_test.go
@@ -66,8 +66,8 @@ func TestMessage_NewToolResultMessage(t *testing.T) {
 
 	msg := NewToolResultMessage(toolResult)
 
-	if msg.Role != "user" {
-		t.Errorf("expected role 'user', got '%s'", msg.Role)
+	if msg.Role != "tool" {
+		t.Errorf("expected role 'tool', got '%s'", msg.Role)
 	}
 
 	if len(msg.Content) != 1 {

Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,7 @@ func NewToolUseMessage(toolUse *ToolUse) Message {`
`48`	`48`	`// NewToolResultMessage creates a new message with tool result content`
`49`	`49`	`func NewToolResultMessage(toolResult *ToolResult) Message {`
`50`	`50`	`return Message{`
`51`		`- Role: "user",`
	`51`	`+ Role: "tool",`
`52`	`52`	`Content: []Content{`
`53`	`53`	`{`
`54`	`54`	`Type: "tool_result",`
`@@ -101,7 +101,7 @@ func (m *Message) Validate() error {`
`101`	`101`	`return fmt.Errorf("message role cannot be empty")`
`102`	`102`	`}`
`103`	`103`
`104`		`- if m.Role != "user" && m.Role != "assistant" && m.Role != "system" {`
	`104`	`+ if m.Role != "user" && m.Role != "assistant" && m.Role != "system" && m.Role != "tool" {`
`105`	`105`	`return fmt.Errorf("invalid message role: %s", m.Role)`
`106`	`106`	`}`
`107`	`107`
Original file line number	Diff line number	Diff line change
`@@ -66,8 +66,8 @@ func TestMessage_NewToolResultMessage(t *testing.T) {`
`66`	`66`
`67`	`67`	`msg := NewToolResultMessage(toolResult)`
`68`	`68`
`69`		`- if msg.Role != "user" {`
`70`		`- t.Errorf("expected role 'user', got '%s'", msg.Role)`
	`69`	`+ if msg.Role != "tool" {`
	`70`	`+ t.Errorf("expected role 'tool', got '%s'", msg.Role)`
`71`	`71`	`}`
`72`	`72`
`73`	`73`	`if len(msg.Content) != 1 {`