From 945a882350aef27c9aa43b35766f333c30ef7273 Mon Sep 17 00:00:00 2001 From: Randall-Jiang Date: Tue, 8 Apr 2025 13:52:10 -0700 Subject: [PATCH 1/4] change warning category and default present logic for uncategory command --- .../codewhispererChat/tools/executeBash.ts | 87 ++++++++----------- 1 file changed, 36 insertions(+), 51 deletions(-) diff --git a/packages/core/src/codewhispererChat/tools/executeBash.ts b/packages/core/src/codewhispererChat/tools/executeBash.ts index 84308390673..10f1af02b34 100644 --- a/packages/core/src/codewhispererChat/tools/executeBash.ts +++ b/packages/core/src/codewhispererChat/tools/executeBash.ts @@ -12,7 +12,7 @@ import { split } from 'shlex' export enum CommandCategory { ReadOnly, - HighRisk, + Mutate, Destructive, } @@ -47,45 +47,37 @@ export const commandCategories = new Map([ ['netstat', CommandCategory.ReadOnly], ['ss', CommandCategory.ReadOnly], ['dig', CommandCategory.ReadOnly], - ['grep', CommandCategory.ReadOnly], ['wc', CommandCategory.ReadOnly], ['sort', CommandCategory.ReadOnly], ['diff', CommandCategory.ReadOnly], ['head', CommandCategory.ReadOnly], ['tail', CommandCategory.ReadOnly], - // HighRisk commands - ['chmod', CommandCategory.HighRisk], - ['chown', CommandCategory.HighRisk], - ['mv', CommandCategory.HighRisk], - ['cp', CommandCategory.HighRisk], - ['ln', CommandCategory.HighRisk], - ['mount', CommandCategory.HighRisk], - ['umount', CommandCategory.HighRisk], - ['kill', CommandCategory.HighRisk], - ['killall', CommandCategory.HighRisk], - ['pkill', CommandCategory.HighRisk], - ['iptables', CommandCategory.HighRisk], - ['route', CommandCategory.HighRisk], - ['systemctl', CommandCategory.HighRisk], - ['service', CommandCategory.HighRisk], - ['crontab', CommandCategory.HighRisk], - ['at', CommandCategory.HighRisk], - ['tar', CommandCategory.HighRisk], - ['awk', CommandCategory.HighRisk], - ['sed', CommandCategory.HighRisk], - ['wget', CommandCategory.HighRisk], - ['curl', CommandCategory.HighRisk], - ['nc', CommandCategory.HighRisk], - ['ssh', CommandCategory.HighRisk], - ['scp', CommandCategory.HighRisk], - ['ftp', CommandCategory.HighRisk], - ['sftp', CommandCategory.HighRisk], - ['rsync', CommandCategory.HighRisk], - ['chroot', CommandCategory.HighRisk], - ['lsof', CommandCategory.HighRisk], - ['strace', CommandCategory.HighRisk], - ['gdb', CommandCategory.HighRisk], + // Mutable commands + ['chmod', CommandCategory.Mutate], + ['curl', CommandCategory.Mutate], + ['mount', CommandCategory.Mutate], + ['umount', CommandCategory.Mutate], + ['systemctl', CommandCategory.Mutate], + ['service', CommandCategory.Mutate], + ['crontab', CommandCategory.Mutate], + ['at', CommandCategory.Mutate], + ['nc', CommandCategory.Mutate], + ['ssh', CommandCategory.Mutate], + ['scp', CommandCategory.Mutate], + ['ftp', CommandCategory.Mutate], + ['sftp', CommandCategory.Mutate], + ['rsync', CommandCategory.Mutate], + ['chroot', CommandCategory.Mutate], + ['strace', CommandCategory.Mutate], + ['gdb', CommandCategory.Mutate], + ['apt', CommandCategory.Mutate], + ['yum', CommandCategory.Mutate], + ['dnf', CommandCategory.Mutate], + ['pacman', CommandCategory.Mutate], + ['exec', CommandCategory.Mutate], + ['eval', CommandCategory.Mutate], + ['xargs', CommandCategory.Mutate], // Destructive commands ['rm', CommandCategory.Destructive], @@ -104,22 +96,18 @@ export const commandCategories = new Map([ ['insmod', CommandCategory.Destructive], ['rmmod', CommandCategory.Destructive], ['modprobe', CommandCategory.Destructive], - ['apt', CommandCategory.Destructive], - ['yum', CommandCategory.Destructive], - ['dnf', CommandCategory.Destructive], - ['pacman', CommandCategory.Destructive], - ['perl', CommandCategory.Destructive], - ['python', CommandCategory.Destructive], - ['bash', CommandCategory.Destructive], - ['sh', CommandCategory.Destructive], - ['exec', CommandCategory.Destructive], - ['eval', CommandCategory.Destructive], - ['xargs', CommandCategory.Destructive], + ['kill', CommandCategory.Destructive], + ['killall', CommandCategory.Destructive], + ['pkill', CommandCategory.Destructive], + ['iptables', CommandCategory.Destructive], + ['route', CommandCategory.Destructive], + ['chown', CommandCategory.Destructive], ]) export const maxBashToolResponseSize: number = 1024 * 1024 // 1MB export const lineCount: number = 1024 export const destructiveCommandWarningMessage = '⚠️ WARNING: Destructive command detected:\n\n' export const highRiskCommandWarningMessage = '⚠️ WARNING: High risk command detected:\n\n' +export const mutateCommandWarningMessage = 'Mutation command:\n\n' export interface ExecuteBashParams { command: string @@ -197,11 +185,8 @@ export class ExecuteBash { switch (category) { case CommandCategory.Destructive: return { requiresAcceptance: true, warning: destructiveCommandWarningMessage } - case CommandCategory.HighRisk: - return { - requiresAcceptance: true, - warning: highRiskCommandWarningMessage, - } + case CommandCategory.Mutate: + return { requiresAcceptance: true, warning: mutateCommandWarningMessage } case CommandCategory.ReadOnly: if ( cmdArgs.some((arg) => @@ -212,7 +197,7 @@ export class ExecuteBash { } continue default: - return { requiresAcceptance: true, warning: highRiskCommandWarningMessage } + return { requiresAcceptance: true } } } return { requiresAcceptance: false } From a84097ba6d68043e01eda406f21fa716a4197343 Mon Sep 17 00:00:00 2001 From: Randall-Jiang Date: Tue, 8 Apr 2025 15:51:57 -0700 Subject: [PATCH 2/4] remove the highrisk message --- packages/core/src/codewhispererChat/tools/executeBash.ts | 1 - 1 file changed, 1 deletion(-) diff --git a/packages/core/src/codewhispererChat/tools/executeBash.ts b/packages/core/src/codewhispererChat/tools/executeBash.ts index 10f1af02b34..a86a04df334 100644 --- a/packages/core/src/codewhispererChat/tools/executeBash.ts +++ b/packages/core/src/codewhispererChat/tools/executeBash.ts @@ -106,7 +106,6 @@ export const commandCategories = new Map([ export const maxBashToolResponseSize: number = 1024 * 1024 // 1MB export const lineCount: number = 1024 export const destructiveCommandWarningMessage = '⚠️ WARNING: Destructive command detected:\n\n' -export const highRiskCommandWarningMessage = '⚠️ WARNING: High risk command detected:\n\n' export const mutateCommandWarningMessage = 'Mutation command:\n\n' export interface ExecuteBashParams { From b559e6cb89369893438792c0b0a72d8ede1f2159 Mon Sep 17 00:00:00 2001 From: Randall-Jiang Date: Tue, 8 Apr 2025 15:58:10 -0700 Subject: [PATCH 3/4] fix the default show message for dangerous pattern --- packages/core/src/codewhispererChat/tools/executeBash.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/packages/core/src/codewhispererChat/tools/executeBash.ts b/packages/core/src/codewhispererChat/tools/executeBash.ts index a86a04df334..1d3dc60df70 100644 --- a/packages/core/src/codewhispererChat/tools/executeBash.ts +++ b/packages/core/src/codewhispererChat/tools/executeBash.ts @@ -192,7 +192,8 @@ export class ExecuteBash { Array.from(dangerousPatterns).some((pattern) => arg.includes(pattern)) ) ) { - return { requiresAcceptance: true, warning: highRiskCommandWarningMessage } + // put the mutation message for dangerous pattern command for now, will update as long as finalized with appsec team + return { requiresAcceptance: true, warning: mutateCommandWarningMessage } } continue default: From 3a54e8a87cf14113917a5999a4fdc4019773b580 Mon Sep 17 00:00:00 2001 From: Randall-Jiang Date: Wed, 9 Apr 2025 10:01:24 -0700 Subject: [PATCH 4/4] remove the dangerous pattern check (appsec verified) --- packages/core/src/codewhispererChat/tools/executeBash.ts | 9 --------- 1 file changed, 9 deletions(-) diff --git a/packages/core/src/codewhispererChat/tools/executeBash.ts b/packages/core/src/codewhispererChat/tools/executeBash.ts index 1d3dc60df70..616ea49ed47 100644 --- a/packages/core/src/codewhispererChat/tools/executeBash.ts +++ b/packages/core/src/codewhispererChat/tools/executeBash.ts @@ -16,7 +16,6 @@ export enum CommandCategory { Destructive, } -export const dangerousPatterns = new Set(['<(', '$(', '`']) export const splitOperators = new Set(['|', '&&', '||', '>']) export const splitOperatorsArray = Array.from(splitOperators) export const commandCategories = new Map([ @@ -187,14 +186,6 @@ export class ExecuteBash { case CommandCategory.Mutate: return { requiresAcceptance: true, warning: mutateCommandWarningMessage } case CommandCategory.ReadOnly: - if ( - cmdArgs.some((arg) => - Array.from(dangerousPatterns).some((pattern) => arg.includes(pattern)) - ) - ) { - // put the mutation message for dangerous pattern command for now, will update as long as finalized with appsec team - return { requiresAcceptance: true, warning: mutateCommandWarningMessage } - } continue default: return { requiresAcceptance: true }