feat(chat): Add validation to fileRead, ListDir and ExecBash tools (#7008)

## Problem
We should ask for consensus tools accessing files/dirs outside of
workspace

## Solution
Add validation step when accessing files/dirs outside of workspace using
fsRead or listDirectories tools.

---

- Treat all work as PUBLIC. Private `feature/x` branches will not be
squash-merged at release time.
- Your code changes must meet the guidelines in
[CONTRIBUTING.md](https://github.com/aws/aws-toolkit-vscode/blob/master/CONTRIBUTING.md#guidelines).
- License: I confirm that my contribution is made under the terms of the
Apache 2.0 license.

Author: bywang56

packages/core/src/amazonq/webview/ui/apps/cwChatConnector.ts

@@ -323,7 +323,14 @@ export class Connector extends BaseConnector {
 
         if (
             !this.onChatAnswerUpdated ||
-            !['accept-code-diff', 'reject-code-diff', 'run-shell-command', 'reject-shell-command'].includes(action.id)
+            ![
+                'accept-code-diff',
+                'reject-code-diff',
+                'run-shell-command',
+                'reject-shell-command',
+                'confirm-tool-use',
+                'reject-tool-use',
+            ].includes(action.id)
         ) {
             return
         }
@@ -381,6 +388,28 @@ export class Connector extends BaseConnector {
                     },
                 }
                 break
+            case 'confirm-tool-use':
+                answer.header = {
+                    icon: 'shell' as MynahIconsType,
+                    body: 'shell',
+                    status: {
+                        icon: 'ok' as MynahIconsType,
+                        text: 'Accepted',
+                        status: 'success',
+                    },
+                }
+                break
+            case 'reject-tool-use':
+                answer.header = {
+                    icon: 'shell' as MynahIconsType,
+                    body: 'shell',
+                    status: {
+                        icon: 'cancel' as MynahIconsType,
+                        text: 'Rejected',
+                        status: 'error',
+                    },
+                }
+                break
             default:
                 break
         }

packages/core/src/codewhispererChat/controllers/chat/controller.ts

@@ -827,7 +827,12 @@ export class ChatController {
 
         const session = this.sessionStorage.getSession(message.tabID!)
         const currentToolUse = session.toolUseWithError?.toolUse
-        if (currentToolUse && currentToolUse.name === ToolType.ExecuteBash) {
+        if (
+            currentToolUse &&
+            (currentToolUse.name === ToolType.ExecuteBash ||
+                currentToolUse.name === ToolType.FsRead ||
+                currentToolUse.name === ToolType.ListDirectory)
+        ) {
             session.toolUseWithError.error = new Error('Tool use was rejected by the user.')
         } else {
             getLogger().error(
@@ -843,6 +848,7 @@ export class ChatController {
                 break
             case 'run-shell-command':
             case 'generic-tool-execution':
+            case 'confirm-tool-use':
                 await this.processToolUseMessage(message)
                 if (message.action.id === 'run-shell-command' && message.action.text === 'Run') {
                     this.telemetryHelper.recordInteractionWithAgenticChat(
@@ -860,6 +866,7 @@ export class ChatController {
                 this.telemetryHelper.recordInteractionWithAgenticChat(AgenticChatInteractionType.RejectDiff, message)
                 break
             case 'reject-shell-command':
+            case 'reject-tool-use':
                 await this.rejectShellCommand(message)
                 await this.processToolUseMessage(message)
                 break

packages/core/src/codewhispererChat/controllers/chat/messenger/messenger.ts

@@ -573,13 +573,13 @@ export class Messenger {
                 const buttons: ChatItemButton[] = [
                     {
                         id: 'reject-shell-command',
-                        text: localize('AWS.amazonq.executeBash.reject', 'Reject'),
+                        text: localize('AWS.generic.reject', 'Reject'),
                         status: 'clear',
                         icon: 'cancel' as MynahIconsType,
                     },
                     {
                         id: 'run-shell-command',
-                        text: localize('AWS.amazonq.executeBash.run', 'Run'),
+                        text: localize('AWS.generic.run', 'Run'),
                         status: 'clear',
                         icon: 'play' as MynahIconsType,
                     },
@@ -624,6 +624,28 @@ export class Messenger {
                 buttons,
                 fileList,
             }
+        } else if (toolUse?.name === ToolType.ListDirectory || toolUse?.name === ToolType.FsRead) {
+            if (validation.requiresAcceptance) {
+                const buttons: ChatItemButton[] = [
+                    {
+                        id: 'confirm-tool-use',
+                        text: localize('AWS.generic.run', 'Run'),
+                        status: 'main',
+                        icon: 'play' as MynahIconsType,
+                    },
+                    {
+                        id: 'reject-tool-use',
+                        text: localize('AWS.generic.reject', 'Reject'),
+                        status: 'clear',
+                        icon: 'cancel' as MynahIconsType,
+                    },
+                ]
+                header = {
+                    icon: 'shell' as MynahIconsType,
+                    body: 'shell',
+                    buttons,
+                }
+            }
         }
 
         this.dispatcher.sendChatMessage(

packages/core/src/codewhispererChat/tools/executeBash.ts

@@ -9,6 +9,9 @@ import { fs } from '../../shared/fs/fs'
 import { ChildProcess, ChildProcessOptions } from '../../shared/utilities/processUtils'
 import { InvokeOutput, OutputKind, sanitizePath } from './toolShared'
 import { split } from 'shlex'
+import path from 'path'
+import * as vscode from 'vscode'
+import { isInDirectory } from '../../shared/filesystemUtilities'
 
 export enum CommandCategory {
     ReadOnly,
@@ -185,6 +188,27 @@ export class ExecuteBash {
                     return { requiresAcceptance: true }
                 }
 
+                // For each command, validate arguments for path safety within workspace
+                for (const arg of cmdArgs) {
+                    if (this.looksLikePath(arg)) {
+                        // If not absolute, resolve using workingDirectory if available.
+                        let fullPath = arg
+                        if (!path.isAbsolute(arg) && this.workingDirectory) {
+                            fullPath = path.join(this.workingDirectory, arg)
+                        }
+                        const workspaceFolders = vscode.workspace.workspaceFolders
+                        if (!workspaceFolders || workspaceFolders.length === 0) {
+                            return { requiresAcceptance: true, warning: destructiveCommandWarningMessage }
+                        }
+                        const isInWorkspace = workspaceFolders.some((folder) =>
+                            isInDirectory(folder.uri.fsPath, fullPath)
+                        )
+                        if (!isInWorkspace) {
+                            return { requiresAcceptance: true, warning: destructiveCommandWarningMessage }
+                        }
+                    }
+                }
+
                 const command = cmdArgs[0]
                 const category = commandCategories.get(command)
 
@@ -371,4 +395,8 @@ export class ExecuteBash {
         updates.write('```shell\n' + this.command + '\n```')
         updates.end()
     }
+
+    private looksLikePath(arg: string): boolean {
+        return arg.startsWith('/') || arg.startsWith('./') || arg.startsWith('../')
+    }
 }

packages/core/src/codewhispererChat/tools/fsRead.ts

@@ -5,9 +5,10 @@
 import * as vscode from 'vscode'
 import { getLogger } from '../../shared/logger/logger'
 import fs from '../../shared/fs/fs'
-import { InvokeOutput, OutputKind, sanitizePath } from './toolShared'
 import { Writable } from 'stream'
 import path from 'path'
+import { InvokeOutput, OutputKind, sanitizePath, CommandValidation } from './toolShared'
+import { isInDirectory } from '../../shared/filesystemUtilities'
 
 export interface FsReadParams {
     path: string
@@ -68,6 +69,18 @@ export class FsRead {
         updates.end()
     }
 
+    public requiresAcceptance(): CommandValidation {
+        const workspaceFolders = vscode.workspace.workspaceFolders
+        if (!workspaceFolders || workspaceFolders.length === 0) {
+            return { requiresAcceptance: true }
+        }
+        const isInWorkspace = workspaceFolders.some((folder) => isInDirectory(folder.uri.fsPath, this.fsPath))
+        if (!isInWorkspace) {
+            return { requiresAcceptance: true }
+        }
+        return { requiresAcceptance: false }
+    }
+
     public async invoke(updates?: Writable): Promise<InvokeOutput> {
         try {
             const fileUri = vscode.Uri.file(this.fsPath)

packages/core/src/codewhispererChat/tools/listDirectory.ts

@@ -6,9 +6,10 @@ import * as vscode from 'vscode'
 import { getLogger } from '../../shared/logger/logger'
 import { readDirectoryRecursively } from '../../shared/utilities/workspaceUtils'
 import fs from '../../shared/fs/fs'
-import { InvokeOutput, OutputKind, sanitizePath } from './toolShared'
 import { Writable } from 'stream'
 import path from 'path'
+import { InvokeOutput, OutputKind, sanitizePath, CommandValidation } from './toolShared'
+import { isInDirectory } from '../../shared/filesystemUtilities'
 
 export interface ListDirectoryParams {
     path: string
@@ -61,6 +62,18 @@ export class ListDirectory {
         updates.end()
     }
 
+    public requiresAcceptance(): CommandValidation {
+        const workspaceFolders = vscode.workspace.workspaceFolders
+        if (!workspaceFolders || workspaceFolders.length === 0) {
+            return { requiresAcceptance: true }
+        }
+        const isInWorkspace = workspaceFolders.some((folder) => isInDirectory(folder.uri.fsPath, this.fsPath))
+        if (!isInWorkspace) {
+            return { requiresAcceptance: true }
+        }
+        return { requiresAcceptance: false }
+    }
+
     public async invoke(updates?: Writable): Promise<InvokeOutput> {
         try {
             const fileUri = vscode.Uri.file(this.fsPath)

packages/core/src/codewhispererChat/tools/toolShared.ts

@@ -32,3 +32,8 @@ export function sanitizePath(inputPath: string): string {
     }
     return sanitized
 }
+
+export interface CommandValidation {
+    requiresAcceptance: boolean
+    warning?: string
+}

packages/core/src/codewhispererChat/tools/toolUtils.ts

@@ -40,13 +40,13 @@ export class ToolUtils {
     static requiresAcceptance(tool: Tool): CommandValidation {
         switch (tool.type) {
             case ToolType.FsRead:
-                return { requiresAcceptance: false }
+                return tool.tool.requiresAcceptance()
             case ToolType.FsWrite:
                 return { requiresAcceptance: false }
             case ToolType.ExecuteBash:
                 return tool.tool.requiresAcceptance()
             case ToolType.ListDirectory:
-                return { requiresAcceptance: false }
+                return tool.tool.requiresAcceptance()
         }
     }
 

packages/core/src/shared/localizedText.ts

@@ -18,6 +18,8 @@ export const invalidArn = localize('AWS.error.invalidArn', 'Invalid ARN')
 export const localizedDelete = localize('AWS.generic.delete', 'Delete')
 export const cancel = localize('AWS.generic.cancel', 'Cancel')
 export const help = localize('AWS.generic.help', 'Help')
+export const run = localize('AWS.generic.run', 'Run')
+export const reject = localize('AWS.generic.reject', 'Reject')
 export const invalidNumberWarning = localize('AWS.validateTime.error.invalidNumber', 'Input must be a positive number')
 export const viewDocs = localize('AWS.generic.viewDocs', 'View Documentation')
 export const recentlyUsed = localize('AWS.generic.recentlyUsed', 'recently used')

packages/core/src/test/codewhispererChat/tools/executeBash.test.ts

@@ -7,6 +7,7 @@ import { strict as assert } from 'assert'
 import sinon from 'sinon'
 import { destructiveCommandWarningMessage, ExecuteBash } from '../../../codewhispererChat/tools/executeBash'
 import { ChildProcess } from '../../../shared/utilities/processUtils'
+import * as vscode from 'vscode'
 
 describe('ExecuteBash Tool', () => {
     let runStub: sinon.SinonStub
@@ -114,4 +115,55 @@ describe('ExecuteBash Tool', () => {
 
         assert.strictEqual(invokeStub.callCount, 1)
     })
+
+    it('requires acceptance if the command references an absolute file path outside the workspace', () => {
+        // Stub workspace folders to simulate a workspace at '/workspace/folder'
+        const workspaceStub = sinon
+            .stub(vscode.workspace, 'workspaceFolders')
+            .value([{ uri: { fsPath: '/workspace/folder' } } as any])
+        // Command references an absolute path outside the workspace
+        const execBash = new ExecuteBash({ command: 'cat /not/in/workspace/file.txt', cwd: '/workspace/folder' })
+        const result = execBash.requiresAcceptance()
+
+        assert.equal(
+            result.requiresAcceptance,
+            true,
+            'Should require acceptance for an absolute path outside of workspace'
+        )
+        workspaceStub.restore()
+    })
+
+    it('does NOT require acceptance if the command references a relative file path inside the workspace', () => {
+        // Stub workspace folders to simulate a workspace at '/workspace/folder'
+        const workspaceStub = sinon
+            .stub(vscode.workspace, 'workspaceFolders')
+            .value([{ uri: { fsPath: '/workspace/folder' } } as any])
+
+        // Command references a relative path that resolves within the workspace
+        const execBash = new ExecuteBash({ command: 'cat ./file.txt', cwd: '/workspace/folder' })
+        const result = execBash.requiresAcceptance()
+
+        assert.equal(result.requiresAcceptance, false, 'Relative path inside workspace should not require acceptance')
+
+        workspaceStub.restore()
+    })
+
+    it('does NOT require acceptance if there is no path-like token in the command', () => {
+        // Stub workspace folders (even though they are not used in this case)
+        const workspaceStub = sinon
+            .stub(vscode.workspace, 'workspaceFolders')
+            .value([{ uri: { fsPath: '/workspace/folder' } } as any])
+
+        // Command with tokens that do not look like file paths
+        const execBash = new ExecuteBash({ command: 'echo hello world', cwd: '/workspace/folder' })
+        const result = execBash.requiresAcceptance()
+
+        assert.equal(
+            result.requiresAcceptance,
+            false,
+            'A command without any path-like token should not require acceptance'
+        )
+
+        workspaceStub.restore()
+    })
 })