use treesitter to parse bash commands and catch commands that go outside of cwd (#1443)

packages/opencode/src/tool/bash.ts

@@ -2,11 +2,21 @@ import { z } from "zod"
 import { Tool } from "./tool"
 import DESCRIPTION from "./bash.txt"
 import { App } from "../app/app"
+import path from "path"
+
+import Parser from "tree-sitter"
+import Bash from "tree-sitter-bash"
+import { Config } from "../config/config"
+import { Filesystem } from "../util/filesystem"
+import { Permission } from "../permission"
 
 const MAX_OUTPUT_LENGTH = 30000
 const DEFAULT_TIMEOUT = 1 * 60 * 1000
 const MAX_TIMEOUT = 10 * 60 * 1000
 
+const parser = new Parser()
+parser.setLanguage(Bash.language as any)
+
 export const BashTool = Tool.define("bash", {
   description: DESCRIPTION,
   parameters: z.object({
@@ -20,10 +30,81 @@ export const BashTool = Tool.define("bash", {
   }),
   async execute(params, ctx) {
     const timeout = Math.min(params.timeout ?? DEFAULT_TIMEOUT, MAX_TIMEOUT)
+    const tree = parser.parse(params.command)
+    const cfg = await Config.get()
+    const app = App.info()
+    const permissions = (() => {
+      const value = cfg.permission?.bash
+      if (!value)
+        return {
+          "*": "allow",
+        }
+      if (typeof value === "string")
+        return {
+          "*": value,
+        }
+      return value
+    })()
+
+    let needsAsk = false
+    for (const node of tree.rootNode.descendantsOfType("command")) {
+      const command = []
+      for (let i = 0; i < node.childCount; i++) {
+        const child = node.child(i)
+        if (!child) continue
+        if (
+          child.type !== "command_name" &&
+          child.type !== "word" &&
+          child.type !== "string" &&
+          child.type !== "raw_string" &&
+          child.type !== "concatenation"
+        ) {
+          continue
+        }
+        command.push(child.text)
+      }
+
+      // not an exhaustive list, but covers most common cases
+      if (["cd", "rm", "cp", "mv", "mkdir", "touch", "chmod", "chown"].includes(command[0])) {
+        for (const arg of command.slice(1)) {
+          if (arg.startsWith("-")) continue
+          const resolved = path.resolve(app.path.cwd, arg)
+          if (!Filesystem.contains(app.path.cwd, resolved)) {
+            throw new Error(
+              `This command references paths outside of ${app.path.cwd} so it is not allowed to be executed.`,
+            )
+          }
+        }
+      }
+
+      // always allow cd if it passes above check
+      if (!needsAsk && command[0] !== "cd") {
+        const ask = (() => {
+          for (const [pattern, value] of Object.entries(permissions)) {
+            if (new Bun.Glob(pattern).match(node.text)) {
+              return value
+            }
+          }
+          return "ask"
+        })()
+        if (ask === "ask") needsAsk = true
+      }
+    }
+
+    if (needsAsk) {
+      await Permission.ask({
+        id: "basj",
+        sessionID: ctx.sessionID,
+        title: params.command,
+        metadata: {
+          command: params.command,
+        },
+      })
+    }
 
     const process = Bun.spawn({
       cmd: ["bash", "-c", params.command],
-      cwd: App.info().path.cwd,
+      cwd: app.path.cwd,
       maxBuffer: MAX_OUTPUT_LENGTH,
       signal: ctx.abort,
       timeout: timeout,

packages/opencode/src/tool/edit.ts

@@ -2,6 +2,7 @@
 // https://github.com/cline/cline/blob/main/evals/diff-edits/diff-apply/diff-06-23-25.ts
 // https://github.com/google-gemini/gemini-cli/blob/main/packages/core/src/utils/editCorrector.ts
 // https://github.com/cline/cline/blob/main/evals/diff-edits/diff-apply/diff-06-26-25.ts
+
 import { z } from "zod"
 import * as path from "path"
 import { Tool } from "./tool"
@@ -13,6 +14,8 @@ import { App } from "../app/app"
 import { File } from "../file"
 import { Bus } from "../bus"
 import { FileTime } from "../file/time"
+import { Config } from "../config/config"
+import { Filesystem } from "../util/filesystem"
 
 export const EditTool = Tool.define("edit", {
   description: DESCRIPTION,
@@ -33,17 +36,22 @@ export const EditTool = Tool.define("edit", {
 
     const app = App.info()
     const filepath = path.isAbsolute(params.filePath) ? params.filePath : path.join(app.path.cwd, params.filePath)
+    if (!Filesystem.contains(app.path.cwd, filepath)) {
+      throw new Error(`File ${filepath} is not in the current working directory`)
+    }
 
-    await Permission.ask({
-      id: "edit",
-      sessionID: ctx.sessionID,
-      title: "Edit this file: " + filepath,
-      metadata: {
-        filePath: filepath,
-        oldString: params.oldString,
-        newString: params.newString,
-      },
-    })
+    const cfg = await Config.get()
+    if (cfg.permission?.edit === "ask")
+      await Permission.ask({
+        id: "edit",
+        sessionID: ctx.sessionID,
+        title: "Edit this file: " + filepath,
+        metadata: {
+          filePath: filepath,
+          oldString: params.oldString,
+          newString: params.newString,
+        },
+      })
 
     let contentOld = ""
     let contentNew = ""

packages/opencode/src/tool/read.ts

@@ -6,6 +6,7 @@ import { LSP } from "../lsp"
 import { FileTime } from "../file/time"
 import DESCRIPTION from "./read.txt"
 import { App } from "../app/app"
+import { Filesystem } from "../util/filesystem"
 
 const DEFAULT_READ_LIMIT = 2000
 const MAX_LINE_LENGTH = 2000
@@ -18,15 +19,19 @@ export const ReadTool = Tool.define("read", {
     limit: z.coerce.number().describe("The number of lines to read (defaults to 2000)").optional(),
   }),
   async execute(params, ctx) {
-    let filePath = params.filePath
-    if (!path.isAbsolute(filePath)) {
-      filePath = path.join(process.cwd(), filePath)
+    let filepath = params.filePath
+    if (!path.isAbsolute(filepath)) {
+      filepath = path.join(process.cwd(), filepath)
+    }
+    const app = App.info()
+    if (!Filesystem.contains(app.path.cwd, filepath)) {
+      throw new Error(`File ${filepath} is not in the current working directory`)
     }
 
-    const file = Bun.file(filePath)
+    const file = Bun.file(filepath)
     if (!(await file.exists())) {
-      const dir = path.dirname(filePath)
-      const base = path.basename(filePath)
+      const dir = path.dirname(filepath)
+      const base = path.basename(filepath)
 
       const dirEntries = fs.readdirSync(dir)
       const suggestions = dirEntries
@@ -38,18 +43,18 @@ export const ReadTool = Tool.define("read", {
         .slice(0, 3)
 
       if (suggestions.length > 0) {
-        throw new Error(`File not found: ${filePath}\n\nDid you mean one of these?\n${suggestions.join("\n")}`)
+        throw new Error(`File not found: ${filepath}\n\nDid you mean one of these?\n${suggestions.join("\n")}`)
       }
 
-      throw new Error(`File not found: ${filePath}`)
+      throw new Error(`File not found: ${filepath}`)
     }
 
     const limit = params.limit ?? DEFAULT_READ_LIMIT
     const offset = params.offset || 0
-    const isImage = isImageFile(filePath)
+    const isImage = isImageFile(filepath)
     if (isImage) throw new Error(`This is an image file of type: ${isImage}\nUse a different tool to process images`)
     const isBinary = await isBinaryFile(file)
-    if (isBinary) throw new Error(`Cannot read binary file: ${filePath}`)
+    if (isBinary) throw new Error(`Cannot read binary file: ${filepath}`)
     const lines = await file.text().then((text) => text.split("\n"))
     const raw = lines.slice(offset, offset + limit).map((line) => {
       return line.length > MAX_LINE_LENGTH ? line.substring(0, MAX_LINE_LENGTH) + "..." : line
@@ -68,11 +73,11 @@ export const ReadTool = Tool.define("read", {
     output += "\n</file>"
 
     // just warms the lsp client
-    LSP.touchFile(filePath, false)
-    FileTime.read(ctx.sessionID, filePath)
+    LSP.touchFile(filepath, false)
+    FileTime.read(ctx.sessionID, filepath)
 
     return {
-      title: path.relative(App.info().path.root, filePath),
+      title: path.relative(App.info().path.root, filepath),
       output,
       metadata: {
         preview,

packages/opencode/src/tool/write.ts

@@ -8,6 +8,8 @@ import { App } from "../app/app"
 import { Bus } from "../bus"
 import { File } from "../file"
 import { FileTime } from "../file/time"
+import { Config } from "../config/config"
+import { Filesystem } from "../util/filesystem"
 
 export const WriteTool = Tool.define("write", {
   description: DESCRIPTION,
@@ -18,21 +20,26 @@ export const WriteTool = Tool.define("write", {
   async execute(params, ctx) {
     const app = App.info()
     const filepath = path.isAbsolute(params.filePath) ? params.filePath : path.join(app.path.cwd, params.filePath)
+    if (!Filesystem.contains(app.path.cwd, filepath)) {
+      throw new Error(`File ${filepath} is not in the current working directory`)
+    }
 
     const file = Bun.file(filepath)
     const exists = await file.exists()
     if (exists) await FileTime.assert(ctx.sessionID, filepath)
 
-    await Permission.ask({
-      id: "write",
-      sessionID: ctx.sessionID,
-      title: exists ? "Overwrite this file: " + filepath : "Create new file: " + filepath,
-      metadata: {
-        filePath: filepath,
-        content: params.content,
-        exists,
-      },
-    })
+    const cfg = await Config.get()
+    if (cfg.permission?.edit === "ask")
+      await Permission.ask({
+        id: "write",
+        sessionID: ctx.sessionID,
+        title: exists ? "Overwrite this file: " + filepath : "Create new file: " + filepath,
+        metadata: {
+          filePath: filepath,
+          content: params.content,
+          exists,
+        },
+      })
 
     await Bun.write(filepath, params.content)
     await Bus.publish(File.Event.Edited, {