Skip to content

security(tools): harden shell sandbox against process substitution and here-string bypass#907

Merged
bug-ops merged 2 commits intomainfrom
feat/856-shell-sandbox
Feb 25, 2026
Merged

security(tools): harden shell sandbox against process substitution and here-string bypass#907
bug-ops merged 2 commits intomainfrom
feat/856-shell-sandbox

Conversation

@bug-ops
Copy link
Owner

@bug-ops bug-ops commented Feb 25, 2026

Summary

Closes #870 (part of epic #856).

  • Added <(, >(, <<<, eval to ShellConfig default confirm_patterns — these patterns now trigger confirmation before execution instead of running silently
  • Added doc comment to find_blocked_command documenting known bypass limitations (process substitution, here-strings, eval, variable expansion) with examples
  • Added 14 tests covering: known-limitation units, confirm_patterns coverage, async executor confirmations
  • Updated insta snapshot, docs (security.md, configuration.md, tools.md), and README files

Test plan

  • cargo +nightly fmt --check — pass
  • cargo clippy --workspace -- -D warnings — 0 warnings
  • cargo nextest run --workspace --lib --bins — 2771 passed

@bug-ops
security(tools): harden shell sandbox against process substitution an…
a815f81 
…d here-string bypass (#870)

- Add <(, >(, <<<, eval  to ShellConfig default confirm_patterns
- Document find_blocked_command limitations in doc comment
- Add 14 tests: known-limitation units, confirm_patterns coverage, async executor confirmations
- Update config default snapshot, docs, and README
@github-actions github-actions bot added documentation Improvements or additions to documentation rust core size/L labels Feb 25, 2026
@bug-ops bug-ops linked an issue Feb 25, 2026 that may be closed by this pull request
Epic: Shell sandbox hardening #856
Closed
1 task
@bug-ops bug-ops enabled auto-merge (squash) February 25, 2026 20:06
@bug-ops bug-ops merged commit 6731597 into main Feb 25, 2026
28 checks passed
@bug-ops bug-ops deleted the feat/856-shell-sandbox branch February 25, 2026 20:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

core documentation Improvements or additions to documentation rust size/L

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Shell blocklist bypassed by process substitution and here-strings Epic: Shell sandbox hardening

1 participant

@bug-ops