feat(security): add detection rules for destructive shell commands

[pzlav]

Description

Add YAML detection rules for dangerous shell commands beyond the existing rm and mv guards. New rules cover filesystem destruction (mkfs, dd), destructive Git operations (reset --hard, push --force), fork bombs, curl|bash pipes, reverse shells, crontab/sudoers tampering, unsafe permissions (chmod 777), and base64-obfuscated execution. Each rule includes severity, pattern matching, and remediation guidance so the user is always prompted or blocked before execution.

Related Issue: Fixes #(issue_number) or Relates to #(issue_number)

Security Considerations: These rules are defensive — they add tool_guard rules to prevent agents from executing destructive, privilege-escalating, or obfuscated shell commands without user confirmation. No existing rules are removed or weakened.

Type of Change

• Bug fix
• New feature
• Breaking change
• Documentation
• Refactoring

Component(s) Affected

• Core / Backend (app, agents, config, providers, utils, local_models)
• Console (frontend web UI)
• Channels (DingTalk, Feishu, QQ, Discord, iMessage, etc.)
• Skills
• CLI
• Documentation (website)
• Tests
• CI/CD
• Scripts / Deploy

Checklist

• I ran pre-commit run --all-files locally and it passes
• If pre-commit auto-fixed files, I committed those changes and reran checks
• I ran tests locally (pytest or as relevant) and they pass
• Documentation updated (if needed)
• Ready for review

Testing

1. Verify YAML syntax is valid.
2. For each new rule, confirm the regex patterns match expected dangerous commands (e.g. mkfs /dev/sda, git reset --hard, curl ... | bash) and do not false-positive on safe usage (e.g. git push origin main without --force).
3. Confirm existing TOOL_CMD_DANGEROUS_RM and TOOL_CMD_DANGEROUS_MV rules still work as before.

Local Verification Evidence

pre-commit run --all-files
check python ast.........................................................Passed
sort simple yaml files...............................(no files to check)Skipped
check yaml...............................................................Passed
check xml................................................................Passed
check toml...............................................................Passed
check docstring is first.................................................Passed
check json...............................................................Passed
fix python encoding pragma...............................................Passed
detect private key.......................................................Passed
trim trailing whitespace.................................................Passed
Add trailing commas......................................................Passed
mypy.....................................................................Passed
black....................................................................Passed
flake8...................................................................Passed
pylint...................................................................Passed
prettier.................................................................Passed

pytest
====================================== test session starts ======================================
platform linux -- Python 3.10.12, pytest-9.0.2, pluggy-1.6.0
rootdir: /home/pzla/projects/CoPaw
configfile: pyproject.toml
plugins: anyio-4.12.1, asyncio-1.3.0, cov-7.0.0
asyncio: mode=auto, debug=False, asyncio_default_fixture_loop_scope=function, asyncio_default_test_loop_scope=function
collected 64 items

tests/integrated/test_app_startup.py . [ 1%]
tests/integrated/test_version.py ... [ 6%]
tests/test_cli_version.py . [ 7%]
tests/unit/providers/test_anthropic_provider.py ....... [ 18%]
tests/unit/providers/test_default_provider.py .. [ 21%]
tests/unit/providers/test_minimax_provider.py ....... [ 32%]
tests/unit/providers/test_ollama_manager_timeout.py . [ 34%]
tests/unit/providers/test_ollama_provider.py .............. [ 56%]
tests/unit/providers/test_openai_provider.py ........... [ 73%]
tests/unit/providers/test_openai_stream_toolcall_compat.py .. [ 76%]
tests/unit/providers/test_provider_manager.py ............... [100%]

====================================== 64 passed in 9.17s =======================================

## Additional Notes

[Optional: any other context]

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the security posture by expanding the tool_guard with a comprehensive set of new detection rules. These rules are designed to prevent agents from executing a wide array of dangerous shell commands, ranging from filesystem destruction and destructive Git operations to denial-of-service attacks, network exploitation, and privilege escalation attempts. The goal is to ensure that agents operate within safe boundaries, prompting for user confirmation or blocking execution for high-risk commands, thereby improving the overall robustness and safety of the system.

Highlights

• Filesystem & Block Device Destruction: Added rules to detect commands like mkfs and dd that can format or wipe disks, preventing agents from performing such critical operations.
• Destructive Git Operations: Implemented rules to identify and guard against Git commands that cause data loss, such as git reset --hard, git clean -f, and git push --force.
• Denial of Service & Fork Bombs: Introduced detection for classic Bash fork bombs and mass process termination commands like kill -9 -1, which can crash the host system.
• Network Loaders (Pipe to Shell): Added rules to catch patterns like curl | bash used for downloading and executing remote payloads, requiring user confirmation before execution.
• Reverse Shell & Network Tunnels: Included detection for attempts to establish reverse shells or unauthorized network tunnels using tools like nc, ncat, or socat.
• Persistence & Privilege Escalation: Created rules to identify modifications to sensitive system files related to cron jobs, SSH keys (authorized_keys), and sudoers.
• Dangerous Permission Changes: Added detection for commands that set unsafe global permissions (e.g., chmod 777) or immutable flags (chattr +i).
• Obfuscation & Defense Evasion: Implemented a rule to detect the execution of base64-encoded strings piped directly to a shell interpreter, a common obfuscation technique.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• src/copaw/security/tool_guard/rules/dangerous_shell_commands.yaml
  • Added new detection rules for filesystem and block device destruction commands (e.g., mkfs, dd).
  • Added new detection rules for destructive Git operations (e.g., git reset --hard, git push --force).
  • Added new detection rules for denial-of-service attacks and fork bombs.
  • Added new detection rules for network loaders that pipe remote content to a shell (e.g., curl | bash).
  • Added new detection rules for reverse shells and unauthorized network tunnels.
  • Added new detection rules for system tampering related to persistence and privilege escalation (e.g., crontab, sudoers).
  • Added new detection rules for dangerous permission changes (e.g., chmod 777).
  • Added new detection rules for obfuscated command execution using base64 decoding.

Activity

• The author ran pre-commit run --all-files locally, ensuring code quality and formatting standards were met.
• The author executed pytest locally, confirming that all existing tests passed.
• The author verified the YAML syntax of the new rules.
• The author confirmed that the regex patterns for each new rule correctly matched dangerous commands and avoided false positives.
• The author confirmed that the existing TOOL_CMD_DANGEROUS_RM and TOOL_CMD_DANGEROUS_MV rules continued to function as expected.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Generative AI Prohibited Use Policy, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[Copilot]

Pull request overview

This PR expands the tool-guard’s built-in YAML ruleset for execute_shell_command to detect and gate a wider set of destructive, privilege-escalating, obfuscated, and suspicious shell command patterns, reducing the chance an agent executes high-risk commands without user intervention.

Changes:

• Added new detection rules for filesystem/device destruction, destructive Git operations, fork bombs/DoS, pipe-to-shell downloaders, reverse shells, system tampering, unsafe permissions, and base64-obfuscated execution.
• Assigned severities/categories and provided user-facing remediation guidance per rule.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[gemini-code-assist]

Code Review

This pull request introduces a valuable set of new detection rules for various dangerous shell commands, significantly enhancing the security posture of the tool guard. The rules are well-structured and cover a wide range of threats, from filesystem destruction to command obfuscation. I've provided a few suggestions to refine some of the regular expressions for improved accuracy and broader coverage. Overall, this is a strong security enhancement.

[gemini-code-assist]

The current chmod pattern is very specific, only detecting recursive changes to the root directory (/). This misses many other dangerous scenarios, such as chmod 777 /etc/shadow or chmod -R 777 . in a sensitive directory. A more general pattern would provide much broader protection against unsafe permission changes.

    - "\\bchmod\\s+.*(777|a\\+rwx)"

[gemini-code-assist]

The pattern for git reset incorrectly includes -h as a destructive option. The -h flag is an alias for --help and is not a destructive operation. git does not have a short option for --hard. Removing |-h\b will make the rule more accurate and prevent potential false positives on users trying to get help for the command.

    - "\\bgit\\s+reset\\s+--hard"

[gemini-code-assist]

The pattern authorized_keys is a bit too broad and could lead to false positives by matching substrings within other words (e.g., a script named update_authorized_keys_format.sh). Using word boundaries (\b) will ensure that it only matches the whole word authorized_keys, improving the rule's precision.

    - "\\bauthorized_keys\\b"

[gemini-code-assist]

This pattern for obfuscated execution is good, but it could be more comprehensive. The TOOL_CMD_PIPE_TO_SHELL rule includes ash and dash in its list of shells. To maintain consistency and broaden detection capabilities, it would be beneficial to add them to this rule as well.

    - "\\bbase64\\s+(-d|--decode)\\s*\\|\\s*(bash|sh|zsh|ash|dash)"

[Copilot]

Pull request overview

Adds additional rule-based tool-guard detections to block or prompt on a broader set of destructive / high-risk shell command patterns.

Changes:

• Extend dangerous_shell_commands.yaml with new detection rules for filesystem destruction, destructive Git operations, fork bombs/DoS, pipe-to-shell loaders, reverse shells, system tampering, unsafe permissions, and base64-obfuscated execution.
• Assign severity/category metadata and remediation guidance per rule.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[xieyxclack]

Please check whether Copilot’s recommendations are worth considering. Thanks for your contribution :)

[Copilot]

Pull request overview

Adds additional tool-guard YAML rules to detect and block/prompt on a wider set of destructive or high-risk shell commands executed via execute_shell_command, expanding beyond existing rm/mv guards.

Changes:

• Added new detection rules for filesystem/block-device destruction, destructive Git operations, DoS/fork bombs, pipe-to-shell downloaders, reverse shells, system tampering, unsafe permissions, and base64-obfuscated execution.
• Included severity levels and remediation guidance per rule.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

This PR expands CoPaw’s tool-guard rule set for execute_shell_command by adding YAML-based detection rules for a wider range of destructive or high-risk shell behaviors, aiming to prompt/block unsafe commands before execution.

Changes:

• Added new detection rules for filesystem/device destruction, destructive Git operations, fork bombs, pipe-to-shell downloaders, reverse shells, system tampering, unsafe permissions, and obfuscated execution.
• Assigned severities/categories and provided remediation guidance for each new rule.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

This PR extends CoPaw’s tool-guard rule set to detect and intercept a broader range of destructive or high-risk shell commands (beyond existing rm/mv detection), aiming to prompt/block agent execution before damage occurs.

Changes:

• Added new YAML rules covering filesystem/block device destruction, destructive Git operations, fork bombs / DoS, pipe-to-shell download execution, reverse shells, system tampering, unsafe permissions, and base64-obfuscated execution.
• Annotated each rule with severity, category, patterns, and remediation guidance.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[gnipping]

Thanks for the PR.

── Git Data Loss ─────────────────────────────────────────────────────

• id: TOOL_CMD_GIT_DATA_LOSS
  tools: [execute_shell_command]
  params: [command]
  category: command_injection
  severity: HIGH
  patterns:
  • "\bgit\s+reset\s+(--hard|--merge|--keep)"
  • "\bgit\s+checkout\s+(--\s+\.|\.)"
  • "\bgit\s+clean\s+-(?![a-zA-Z]*n)[a-zA-Z]*f\b"
  • "\bgit\s+push\s+.*(--force|-f\b)"

We find that this rule is not necessary. Please delete this rule and revise the rules to make them more precise.