Skip to content

feat(security): add detection rules for destructive shell commands#1484

Merged
xieyxclack merged 9 commits intoagentscope-ai:mainfrom
pzlav:feature/shell_tool_guard_rules
Mar 17, 2026
Merged

feat(security): add detection rules for destructive shell commands#1484
xieyxclack merged 9 commits intoagentscope-ai:mainfrom
pzlav:feature/shell_tool_guard_rules

Conversation

@pzlav
Copy link
Contributor

@pzlav pzlav commented Mar 14, 2026

Description

Add YAML detection rules for dangerous shell commands beyond the existing rm and mv guards. New rules cover filesystem destruction (mkfs, dd), destructive Git operations (reset --hard, push --force), fork bombs, curl|bash pipes, reverse shells, crontab/sudoers tampering, unsafe permissions (chmod 777), and base64-obfuscated execution. Each rule includes severity, pattern matching, and remediation guidance so the user is always prompted or blocked before execution.

Related Issue: Fixes #(issue_number) or Relates to #(issue_number)

Security Considerations: These rules are defensive — they add tool_guard rules to prevent agents from executing destructive, privilege-escalating, or obfuscated shell commands without user confirmation. No existing rules are removed or weakened.

Type of Change

  • Bug fix
  • New feature
  • Breaking change
  • Documentation
  • Refactoring

Component(s) Affected

  • Core / Backend (app, agents, config, providers, utils, local_models)
  • Console (frontend web UI)
  • Channels (DingTalk, Feishu, QQ, Discord, iMessage, etc.)
  • Skills
  • CLI
  • Documentation (website)
  • Tests
  • CI/CD
  • Scripts / Deploy

Checklist

  • I ran pre-commit run --all-files locally and it passes
  • If pre-commit auto-fixed files, I committed those changes and reran checks
  • I ran tests locally (pytest or as relevant) and they pass
  • Documentation updated (if needed)
  • Ready for review

Testing

  1. Verify YAML syntax is valid.
  2. For each new rule, confirm the regex patterns match expected dangerous commands (e.g. mkfs /dev/sda, git reset --hard, curl ... | bash) and do not false-positive on safe usage (e.g. git push origin main without --force).
  3. Confirm existing TOOL_CMD_DANGEROUS_RM and TOOL_CMD_DANGEROUS_MV rules still work as before.

Local Verification Evidence

pre-commit run --all-files
check python ast.........................................................Passed
sort simple yaml files...............................(no files to check)Skipped
check yaml...............................................................Passed
check xml................................................................Passed
check toml...............................................................Passed
check docstring is first.................................................Passed
check json...............................................................Passed
fix python encoding pragma...............................................Passed
detect private key.......................................................Passed
trim trailing whitespace.................................................Passed
Add trailing commas......................................................Passed
mypy.....................................................................Passed
black....................................................................Passed
flake8...................................................................Passed
pylint...................................................................Passed
prettier.................................................................Passed

pytest
====================================== test session starts ======================================
platform linux -- Python 3.10.12, pytest-9.0.2, pluggy-1.6.0
rootdir: /home/pzla/projects/CoPaw
configfile: pyproject.toml
plugins: anyio-4.12.1, asyncio-1.3.0, cov-7.0.0
asyncio: mode=auto, debug=False, asyncio_default_fixture_loop_scope=function, asyncio_default_test_loop_scope=function
collected 64 items

tests/integrated/test_app_startup.py . [ 1%]
tests/integrated/test_version.py ... [ 6%]
tests/test_cli_version.py . [ 7%]
tests/unit/providers/test_anthropic_provider.py ....... [ 18%]
tests/unit/providers/test_default_provider.py .. [ 21%]
tests/unit/providers/test_minimax_provider.py ....... [ 32%]
tests/unit/providers/test_ollama_manager_timeout.py . [ 34%]
tests/unit/providers/test_ollama_provider.py .............. [ 56%]
tests/unit/providers/test_openai_provider.py ........... [ 73%]
tests/unit/providers/test_openai_stream_toolcall_compat.py .. [ 76%]
tests/unit/providers/test_provider_manager.py ............... [100%]

====================================== 64 passed in 9.17s =======================================


## Additional Notes

[Optional: any other context]

Copilot AI review requested due to automatic review settings March 14, 2026 07:51
@github-actions github-actions bot added the first-time-contributor PR created by a first time contributor label Mar 14, 2026
@gemini-code-assist
Copy link
Contributor

gemini-code-assist bot commented Mar 14, 2026

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the security posture by expanding the tool_guard with a comprehensive set of new detection rules. These rules are designed to prevent agents from executing a wide array of dangerous shell commands, ranging from filesystem destruction and destructive Git operations to denial-of-service attacks, network exploitation, and privilege escalation attempts. The goal is to ensure that agents operate within safe boundaries, prompting for user confirmation or blocking execution for high-risk commands, thereby improving the overall robustness and safety of the system.

Highlights

  • Filesystem & Block Device Destruction: Added rules to detect commands like mkfs and dd that can format or wipe disks, preventing agents from performing such critical operations.
  • Destructive Git Operations: Implemented rules to identify and guard against Git commands that cause data loss, such as git reset --hard, git clean -f, and git push --force.
  • Denial of Service & Fork Bombs: Introduced detection for classic Bash fork bombs and mass process termination commands like kill -9 -1, which can crash the host system.
  • Network Loaders (Pipe to Shell): Added rules to catch patterns like curl | bash used for downloading and executing remote payloads, requiring user confirmation before execution.
  • Reverse Shell & Network Tunnels: Included detection for attempts to establish reverse shells or unauthorized network tunnels using tools like nc, ncat, or socat.
  • Persistence & Privilege Escalation: Created rules to identify modifications to sensitive system files related to cron jobs, SSH keys (authorized_keys), and sudoers.
  • Dangerous Permission Changes: Added detection for commands that set unsafe global permissions (e.g., chmod 777) or immutable flags (chattr +i).
  • Obfuscation & Defense Evasion: Implemented a rule to detect the execution of base64-encoded strings piped directly to a shell interpreter, a common obfuscation technique.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog
  • src/copaw/security/tool_guard/rules/dangerous_shell_commands.yaml
    • Added new detection rules for filesystem and block device destruction commands (e.g., mkfs, dd).
    • Added new detection rules for destructive Git operations (e.g., git reset --hard, git push --force).
    • Added new detection rules for denial-of-service attacks and fork bombs.
    • Added new detection rules for network loaders that pipe remote content to a shell (e.g., curl | bash).
    • Added new detection rules for reverse shells and unauthorized network tunnels.
    • Added new detection rules for system tampering related to persistence and privilege escalation (e.g., crontab, sudoers).
    • Added new detection rules for dangerous permission changes (e.g., chmod 777).
    • Added new detection rules for obfuscated command execution using base64 decoding.
Activity
  • The author ran pre-commit run --all-files locally, ensuring code quality and formatting standards were met.
  • The author executed pytest locally, confirming that all existing tests passed.
  • The author verified the YAML syntax of the new rules.
  • The author confirmed that the regex patterns for each new rule correctly matched dangerous commands and avoided false positives.
  • The author confirmed that the existing TOOL_CMD_DANGEROUS_RM and TOOL_CMD_DANGEROUS_MV rules continued to function as expected.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Generative AI Prohibited Use Policy, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

Copilot AI reviewed Mar 14, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR expands the tool-guard’s built-in YAML ruleset for execute_shell_command to detect and gate a wider set of destructive, privilege-escalating, obfuscated, and suspicious shell command patterns, reducing the chance an agent executes high-risk commands without user intervention.

Changes:

  • Added new detection rules for filesystem/device destruction, destructive Git operations, fork bombs/DoS, pipe-to-shell downloaders, reverse shells, system tampering, unsafe permissions, and base64-obfuscated execution.
  • Assigned severities/categories and provided user-facing remediation guidance per rule.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Mar 14, 2026
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a valuable set of new detection rules for various dangerous shell commands, significantly enhancing the security posture of the tool guard. The rules are well-structured and cover a wide range of threats, from filesystem destruction to command obfuscation. I've provided a few suggestions to refine some of the regular expressions for improved accuracy and broader coverage. Overall, this is a strong security enhancement.

@pzlav
update description of TOOL_CMD_SYSTEM_TAMPERING
3c75232 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings March 14, 2026 12:12
Copilot AI reviewed Mar 14, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds additional rule-based tool-guard detections to block or prompt on a broader set of destructive / high-risk shell command patterns.

Changes:

  • Extend dangerous_shell_commands.yaml with new detection rules for filesystem destruction, destructive Git operations, fork bombs/DoS, pipe-to-shell loaders, reverse shells, system tampering, unsafe permissions, and base64-obfuscated execution.
  • Assign severity/category metadata and remediation guidance per rule.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@pzlav pzlav temporarily deployed to maintainer-approved March 14, 2026 13:46 — with GitHub Actions Inactive
@xieyxclack
Copy link
Member

xieyxclack commented Mar 14, 2026

Please check whether Copilot’s recommendations are worth considering. Thanks for your contribution :)

@github-actions github-actions bot mentioned this pull request Mar 15, 2026
Open
@pzlav
adding word boundaries around the shell names
27f7545 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings March 15, 2026 07:53
Copilot AI reviewed Mar 15, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds additional tool-guard YAML rules to detect and block/prompt on a wider set of destructive or high-risk shell commands executed via execute_shell_command, expanding beyond existing rm/mv guards.

Changes:

  • Added new detection rules for filesystem/block-device destruction, destructive Git operations, DoS/fork bombs, pipe-to-shell downloaders, reverse shells, system tampering, unsafe permissions, and base64-obfuscated execution.
  • Included severity levels and remediation guidance per rule.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@pzlav
-h replaced it with --merge and --keep
1222e82 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings March 15, 2026 07:59
Copilot AI reviewed Mar 15, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR expands CoPaw’s tool-guard rule set for execute_shell_command by adding YAML-based detection rules for a wider range of destructive or high-risk shell behaviors, aiming to prompt/block unsafe commands before execution.

Changes:

  • Added new detection rules for filesystem/device destruction, destructive Git operations, fork bombs, pipe-to-shell downloaders, reverse shells, system tampering, unsafe permissions, and obfuscated execution.
  • Assigned severities/categories and provided remediation guidance for each new rule.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@pzlav
improve mkfs detection to cover mke2fs alias
5451b13 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings March 15, 2026 08:06
Copilot AI reviewed Mar 15, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR extends CoPaw’s tool-guard rule set to detect and intercept a broader range of destructive or high-risk shell commands (beyond existing rm/mv detection), aiming to prompt/block agent execution before damage occurs.

Changes:

  • Added new YAML rules covering filesystem/block device destruction, destructive Git operations, fork bombs / DoS, pipe-to-shell download execution, reverse shells, system tampering, unsafe permissions, and base64-obfuscated execution.
  • Annotated each rule with severity, category, patterns, and remediation guidance.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@gnipping
Copy link
Contributor

gnipping commented Mar 16, 2026

Thanks for the PR.

── Git Data Loss ─────────────────────────────────────────────────────

  • id: TOOL_CMD_GIT_DATA_LOSS
    tools: [execute_shell_command]
    params: [command]
    category: command_injection
    severity: HIGH
    patterns:
    • "\bgit\s+reset\s+(--hard|--merge|--keep)"
    • "\bgit\s+checkout\s+(--\s+\.|\.)"
    • "\bgit\s+clean\s+-(?![a-zA-Z]*n)[a-zA-Z]*f\b"
    • "\bgit\s+push\s+.*(--force|-f\b)"

We find that this rule is not necessary. Please delete this rule and revise the rules to make them more precise.

Copilot AI review requested due to automatic review settings March 16, 2026 16:39
Copilot AI reviewed Mar 16, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds additional regex-based tool-guard rules to detect potentially destructive execute_shell_command invocations, expanding coverage beyond the existing rm/mv checks.

Changes:

  • Expanded dangerous_shell_commands.yaml with new rules for filesystem wiping/formatting, fork bombs / DoS patterns, pipe-to-shell loaders, reverse shells, system tampering, unsafe permission changes, and base64-obfuscated execution.
  • Updated the rule file header documentation to describe the rule system, severity tiers, and taxonomy reference.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@pzlav
update file header
e414890 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings March 16, 2026 17:38
Copilot AI reviewed Mar 16, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds expanded ToolGuard YAML regex rules to detect and intercept potentially destructive execute_shell_command invocations before execution, strengthening the repo’s pre-tool-call security guardrails.

Changes:

  • Expanded dangerous_shell_commands.yaml with new rule IDs covering disk-wipe/format commands, fork bombs/DoS, pipe-to-shell downloaders, reverse shells, sensitive system file tampering, unsafe permission changes, and base64-piped execution.
  • Updated the file header commentary to describe severity tiers and taxonomy references.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@gnipping
Copy link
Contributor

gnipping commented Mar 17, 2026

Thanks again for your revision.

According to the Copilot Review, some regular expressions still introduce false positives. Could you please revise them accordingly?

@gnipping
Copy link
Contributor

gnipping commented Mar 17, 2026

Thanks for the commits. The current rules look good to me.

@pzlav pzlav temporarily deployed to maintainer-approved March 17, 2026 11:06 — with GitHub Actions Inactive
@xieyxclack xieyxclack merged commit 52f9a51 into agentscope-ai:main Mar 17, 2026
30 checks passed
@github-actions
Copy link

github-actions bot commented Mar 17, 2026

Welcome to CoPaw! 🎉

Thank you @pzlav for your first contribution! Your PR has been merged. 🚀

We'd love to give you a shout-out in our release notes! If you're comfortable sharing, please reply to this comment with your social media handles using the format below:

discord: your_discord_handle
x: your_x_handle
xiaohongshu: your_xiaohongshu_id

Note: Only share what you're comfortable with — all fields are optional.

Thanks again for helping make CoPaw better!

@pzlav
Copy link
Contributor Author

pzlav commented Mar 17, 2026

Welcome to CoPaw! 🎉

Thank you @pzlav for your first contribution! Your PR has been merged. 🚀

We'd love to give you a shout-out in our release notes! If you're comfortable sharing, please reply to this comment with your social media handles using the format below:

discord: your_discord_handle
x: your_x_handle
xiaohongshu: your_xiaohongshu_id

Note: Only share what you're comfortable with — all fields are optional.

Thanks again for helping make CoPaw better!

discord: 918134357758185492

@github-actions github-actions bot mentioned this pull request Mar 18, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@xieyxclack xieyxclack xieyxclack approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

first-time-contributor PR created by a first time contributor

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@pzlav @xieyxclack @gnipping