use treesitter to parse bash commands and catch commands that go outside of cwd (#1443)

2026-04-04 16:13:11 +00:00 · 2025-07-30 20:57:52 -04:00
parent 3b7085ca28
commit 18888351e9
13 changed files with 226 additions and 59 deletions
--- a/packages/opencode/src/tool/bash.ts
+++ b/packages/opencode/src/tool/bash.ts
@@ -2,11 +2,21 @@ import { z } from "zod"
 import { Tool } from "./tool"
 import DESCRIPTION from "./bash.txt"
 import { App } from "../app/app"
+import path from "path"
+
+import Parser from "tree-sitter"
+import Bash from "tree-sitter-bash"
+import { Config } from "../config/config"
+import { Filesystem } from "../util/filesystem"
+import { Permission } from "../permission"

 const MAX_OUTPUT_LENGTH = 30000
 const DEFAULT_TIMEOUT = 1 * 60 * 1000
 const MAX_TIMEOUT = 10 * 60 * 1000

+const parser = new Parser()
+parser.setLanguage(Bash.language as any)
+
 export const BashTool = Tool.define("bash", {
  description: DESCRIPTION,
  parameters: z.object({
@@ -20,10 +30,81 @@ export const BashTool = Tool.define("bash", {
  }),
  async execute(params, ctx) {
    const timeout = Math.min(params.timeout ?? DEFAULT_TIMEOUT, MAX_TIMEOUT)
+    const tree = parser.parse(params.command)
+    const cfg = await Config.get()
+    const app = App.info()
+    const permissions = (() => {
+      const value = cfg.permission?.bash
+      if (!value)
+        return {
+          "*": "allow",
+        }
+      if (typeof value === "string")
+        return {
+          "*": value,
+        }
+      return value
+    })()
+
+    let needsAsk = false
+    for (const node of tree.rootNode.descendantsOfType("command")) {
+      const command = []
+      for (let i = 0; i < node.childCount; i++) {
+        const child = node.child(i)
+        if (!child) continue
+        if (
+          child.type !== "command_name" &&
+          child.type !== "word" &&
+          child.type !== "string" &&
+          child.type !== "raw_string" &&
+          child.type !== "concatenation"
+        ) {
+          continue
+        }
+        command.push(child.text)
+      }
+
+      // not an exhaustive list, but covers most common cases
+      if (["cd", "rm", "cp", "mv", "mkdir", "touch", "chmod", "chown"].includes(command[0])) {
+        for (const arg of command.slice(1)) {
+          if (arg.startsWith("-")) continue
+          const resolved = path.resolve(app.path.cwd, arg)
+          if (!Filesystem.contains(app.path.cwd, resolved)) {
+            throw new Error(
+              `This command references paths outside of ${app.path.cwd} so it is not allowed to be executed.`,
+            )
+          }
+        }
+      }
+
+      // always allow cd if it passes above check
+      if (!needsAsk && command[0] !== "cd") {
+        const ask = (() => {
+          for (const [pattern, value] of Object.entries(permissions)) {
+            if (new Bun.Glob(pattern).match(node.text)) {
+              return value
+            }
+          }
+          return "ask"
+        })()
+        if (ask === "ask") needsAsk = true
+      }
+    }
+
+    if (needsAsk) {
+      await Permission.ask({
+        id: "basj",
+        sessionID: ctx.sessionID,
+        title: params.command,
+        metadata: {
+          command: params.command,
+        },
+      })
+    }

    const process = Bun.spawn({
      cmd: ["bash", "-c", params.command],
-      cwd: App.info().path.cwd,
+      cwd: app.path.cwd,
      maxBuffer: MAX_OUTPUT_LENGTH,
      signal: ctx.abort,
      timeout: timeout,