fix(approval): detect encoding-based dangerous command bypass (#30100)

echo <base64> | base64 -d | bash (and base32/base16, xxd -r, tr
transforms, openssl base64/enc -d) decode a dangerous command at
runtime — the raw text carries no dangerous keyword, so the denylist
never fired. Adds DANGEROUS_PATTERNS entries for decode-and-execute
pipes into a shell.
This commit is contained in:
necoweb3 2026-07-01 01:23:27 -07:00 committed by Teknium
parent 4b5fce66f5
commit dc8b5b4f47

View file

@ -510,6 +510,22 @@ DANGEROUS_PATTERNS = [
# Remote content executed via command substitution: eval/source/. $(curl ...)
# or `wget ...`. Equivalent to piping remote content to a shell.
(r'(?:\beval\b|\bsource\b|\.)\s*(?:\$\(\s*|`\s*)(?:curl|wget)\b', "execute remote content via command substitution"),
# Decode-and-execute: encoded/transformed content piped to a shell. Without
# these, `echo <base64> | base64 -d | bash` silently runs `rm -rf /` or any
# other command because the raw text carries no dangerous keywords.
(r'\b(base64|base32|base16)\s+(?:-[dD]|--decode)\b.*\|\s*\b(bash|sh|zsh|ksh|dash)\b',
"pipe decoded content to shell (possible command obfuscation)"),
# xxd reverse hex dump to shell (xxd uses -r for decode, not -d).
(r'\bxxd\s+-r\b.*\|\s*\b(bash|sh|zsh|ksh|dash)\b',
"pipe xxd-decoded content to shell (possible command obfuscation)"),
# Character transformation via tr piped to shell:
# `echo 'eq -pe v/' | tr 'eqv' 'rmf' | bash` decodes to `rm -rf /`.
(r'\becho\b[^|]*\|\s*\btr\b[^|]*\|\s*\b(bash|sh|zsh|ksh|dash)\b',
"pipe tr-transformed output to shell (possible command obfuscation)"),
# openssl decode piped to shell:
# `echo <base64> | openssl base64 -d | bash` decodes arbitrary commands.
(r'\bopenssl\b.*\b(?:base64|enc)\b[^|]*\s+-[dD]\b[^|]*\|\s*\b(bash|sh|zsh|ksh|dash)\b',
"pipe openssl-decoded content to shell (possible command obfuscation)"),
(rf'\btee\b.*["\']?{_SENSITIVE_WRITE_TARGET}', "overwrite system file via tee"),
(rf'>>?\s*["\']?{_SENSITIVE_WRITE_TARGET}', "overwrite system file via redirection"),
(rf'\btee\b.*["\']?{_PROJECT_SENSITIVE_WRITE_TARGET}["\']?{_WRITE_TARGET_BOUNDARY}', "overwrite project env/config via tee"),