add command black list

Author: rasdani

packages/opencode/src/tool/bash.ts

@@ -20,9 +20,26 @@ import { Plugin } from "@/plugin"
 
 const MAX_METADATA_LENGTH = 30_000
 const DEFAULT_TIMEOUT = Flag.OPENCODE_EXPERIMENTAL_BASH_DEFAULT_TIMEOUT_MS || 2 * 60 * 1000
+const BASE_BLOCKED_BASH_COMMANDS = ["ipython", "jupyter", "nohup"] as const
+const COMMAND_SEPARATORS = /&&|\|\||;|\|/
 
 export const log = Log.create({ service: "bash-tool" })
 
+function blockedBashCommands() {
+  return process.env.ALLOW_GIT === "1" ? [...BASE_BLOCKED_BASH_COMMANDS] : ["git", ...BASE_BLOCKED_BASH_COMMANDS]
+}
+
+function findBlockedCommandInChain(command: string, blocked: Set<string>) {
+  const segments = command.split(COMMAND_SEPARATORS)
+  for (const segment of segments) {
+    const trimmed = segment.trim()
+    if (!trimmed) continue
+    const firstToken = trimmed.split(/\s+/)[0]
+    if (blocked.has(firstToken)) return firstToken
+  }
+  return undefined
+}
+
 const resolveWasm = (asset: string) => {
   if (asset.startsWith("file://")) return fileURLToPath(asset)
   if (asset.startsWith("/") || /^[a-z]:/i.test(asset)) return asset
@@ -76,6 +93,11 @@ export const BashTool = Tool.define("bash", async () => {
         throw new Error(`Invalid timeout value: ${params.timeout}. Timeout must be a positive number.`)
       }
       const timeout = params.timeout ?? DEFAULT_TIMEOUT
+      const blocked = new Set(blockedBashCommands())
+      const blockedCommand = findBlockedCommandInChain(params.command, blocked)
+      if (blockedCommand) {
+        throw new Error(`Bash command '${blockedCommand}' is not allowed. Please use a different command or tool.`)
+      }
       const tree = await parser().then((p) => p.parse(params.command))
       if (!tree) {
         throw new Error("Failed to parse command")

packages/opencode/test/tool/bash.test.ts

@@ -222,7 +222,7 @@ describe("tool.bash permissions", () => {
         }
         await bash.execute(
           {
-            command: "git log --oneline -5",
+            command: "ls -la",
           },
           testCtx,
         )
@@ -302,6 +302,53 @@ describe("tool.bash permissions", () => {
   })
 })
 
+describe("tool.bash blocklist", () => {
+  test("blocks git by default", async () => {
+    await Instance.provide({
+      directory: projectRoot,
+      fn: async () => {
+        const bash = await BashTool.init()
+        await expect(bash.execute({ command: "git status" }, ctx)).rejects.toThrow(
+          "Bash command 'git' is not allowed. Please use a different command or tool.",
+        )
+      },
+    })
+  })
+
+  test("allows git when ALLOW_GIT=1", async () => {
+    const prev = process.env.ALLOW_GIT
+    process.env.ALLOW_GIT = "1"
+    try {
+      await Instance.provide({
+        directory: projectRoot,
+        fn: async () => {
+          const bash = await BashTool.init()
+          const result = await bash.execute({ command: "git --version >/dev/null 2>&1 || true" }, ctx)
+          expect(result.metadata.exit).toBe(0)
+        },
+      })
+    } finally {
+      if (prev === undefined) {
+        delete process.env.ALLOW_GIT
+      } else {
+        process.env.ALLOW_GIT = prev
+      }
+    }
+  })
+
+  test("blocks commands in chained segments", async () => {
+    await Instance.provide({
+      directory: projectRoot,
+      fn: async () => {
+        const bash = await BashTool.init()
+        await expect(bash.execute({ command: "echo ok && nohup sleep 1" }, ctx)).rejects.toThrow(
+          "Bash command 'nohup' is not allowed. Please use a different command or tool.",
+        )
+      },
+    })
+  })
+})
+
 describe("tool.bash truncation", () => {
   test("truncates output exceeding line limit", async () => {
     await Instance.provide({