diff --git a/tests/tools/test_hardline_blocklist.py b/tests/tools/test_hardline_blocklist.py index 960b4e7c2..29138c836 100644 --- a/tests/tools/test_hardline_blocklist.py +++ b/tests/tools/test_hardline_blocklist.py @@ -200,6 +200,37 @@ def test_quoted_and_brace_paths_are_hardline_blocked(command): assert desc +# ------------------------------------------------------------------------- +# Shell line-continuation bypass +# ------------------------------------------------------------------------- +# +# A backslash immediately followed by a newline is a POSIX line +# continuation: the shell removes BOTH characters and joins the tokens, so +# `rm -rf \/` executes as `rm -rf /`. The normalizer used to strip +# only backslash-escapes of NON-newline characters (`\\([^\n])`), leaving the +# dangling backslash wedged between tokens — which broke the structured +# rm/dd/mkfs patterns and let a root wipe slip past the hardline floor. + +# (command_with_continuation, description_substring) — each is the +# line-continuation form of a command already in _HARDLINE_BLOCK. +_HARDLINE_LINE_CONTINUATION = [ + ("rm -rf \\\n/", "root"), # split before the path + ("rm -r\\\nf /", "root"), # split inside the flag bundle + ("rm -rf \\\n~", "home"), # home-directory wipe + ("rm -rf \\\r\n/", "root"), # CRLF line ending + ("mkfs.ext4 \\\n/dev/sda1", "mkfs"), # filesystem format +] + + +@pytest.mark.parametrize("command,desc_substr", _HARDLINE_LINE_CONTINUATION) +def test_hardline_blocks_line_continuation(command, desc_substr): + is_hl, desc = detect_hardline_command(command) + assert is_hl, f"line-continuation bypassed hardline detection: {command!r}" + assert desc and desc_substr in desc.lower(), ( + f"unexpected description {desc!r} for {command!r}" + ) + + # ------------------------------------------------------------------------- # Integration with the approval flow # ------------------------------------------------------------------------- @@ -250,6 +281,21 @@ def test_yolo_env_var_cannot_bypass_hardline(clean_session, monkeypatch): assert r2.get("hardline") is True +def test_line_continuation_root_wipe_cannot_bypass_hardline(clean_session, monkeypatch): + """A line-continuation root wipe must stay blocked even under yolo. + + `rm -rf \\/` runs as `rm -rf /`. Yolo bypasses the regular + dangerous-command layer, so the hardline floor is the only thing left to + catch it — it must hold. + """ + monkeypatch.setenv("HERMES_YOLO_MODE", "1") + + result = check_all_command_guards("rm -rf \\\n/", "local") + assert result["approved"] is False, "yolo leaked a line-continuation root wipe" + assert result.get("hardline") is True + assert "BLOCKED (hardline)" in result["message"] + + def test_session_yolo_cannot_bypass_hardline(clean_session): """Gateway /yolo (session-scoped) must not bypass the hardline floor.""" enable_session_yolo("hardline_test") diff --git a/tools/approval.py b/tools/approval.py index 2e074c825..6d4b4c2cd 100644 --- a/tools/approval.py +++ b/tools/approval.py @@ -681,6 +681,16 @@ def _normalize_command_for_detection(command: str) -> str: command = command.replace('\x00', '') # Normalize Unicode (fullwidth Latin, halfwidth Katakana, etc.) command = unicodedata.normalize('NFKC', command) + # Collapse shell line continuations (backslash-newline). The shell removes + # BOTH characters and joins the tokens, so `rm -rf \/` executes as + # `rm -rf /`. This must run BEFORE the generic backslash-escape strip below, + # whose [^\n] class deliberately skips newlines and would otherwise leave + # the dangling backslash wedged between tokens — defeating the structured + # rm/mkfs/dd patterns (notably the HARDLINE root-delete floor, which cannot + # be bypassed even with yolo). Handles both \n and \r\n line endings. Line + # continuations carry no path separator, so this is a no-op on the Windows + # home-prefix folds below (which match C:\Users\alice\... — no newline). + command = re.sub(r'\\\r?\n', '', command) # Fold absolute home / active-profile-home prefixes into their canonical # ~/ and ~/.hermes/ forms so static user-sensitive patterns catch # /home/alice/.bashrc and C:\Users\alice\.bashrc the same way they catch