From dc8b5b4f47148e90ca96d625ffcd8d9759262aa9 Mon Sep 17 00:00:00 2001 From: necoweb3 Date: Wed, 1 Jul 2026 01:23:27 -0700 Subject: [PATCH] fix(approval): detect encoding-based dangerous command bypass (#30100) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit echo | base64 -d | bash (and base32/base16, xxd -r, tr transforms, openssl base64/enc -d) decode a dangerous command at runtime — the raw text carries no dangerous keyword, so the denylist never fired. Adds DANGEROUS_PATTERNS entries for decode-and-execute pipes into a shell. --- tools/approval.py | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/tools/approval.py b/tools/approval.py index 68f0340e5..6bdae8f2d 100644 --- a/tools/approval.py +++ b/tools/approval.py @@ -510,6 +510,22 @@ DANGEROUS_PATTERNS = [ # Remote content executed via command substitution: eval/source/. $(curl ...) # or `wget ...`. Equivalent to piping remote content to a shell. (r'(?:\beval\b|\bsource\b|\.)\s*(?:\$\(\s*|`\s*)(?:curl|wget)\b', "execute remote content via command substitution"), + # Decode-and-execute: encoded/transformed content piped to a shell. Without + # these, `echo | base64 -d | bash` silently runs `rm -rf /` or any + # other command because the raw text carries no dangerous keywords. + (r'\b(base64|base32|base16)\s+(?:-[dD]|--decode)\b.*\|\s*\b(bash|sh|zsh|ksh|dash)\b', + "pipe decoded content to shell (possible command obfuscation)"), + # xxd reverse hex dump to shell (xxd uses -r for decode, not -d). + (r'\bxxd\s+-r\b.*\|\s*\b(bash|sh|zsh|ksh|dash)\b', + "pipe xxd-decoded content to shell (possible command obfuscation)"), + # Character transformation via tr piped to shell: + # `echo 'eq -pe v/' | tr 'eqv' 'rmf' | bash` decodes to `rm -rf /`. + (r'\becho\b[^|]*\|\s*\btr\b[^|]*\|\s*\b(bash|sh|zsh|ksh|dash)\b', + "pipe tr-transformed output to shell (possible command obfuscation)"), + # openssl decode piped to shell: + # `echo | openssl base64 -d | bash` decodes arbitrary commands. + (r'\bopenssl\b.*\b(?:base64|enc)\b[^|]*\s+-[dD]\b[^|]*\|\s*\b(bash|sh|zsh|ksh|dash)\b', + "pipe openssl-decoded content to shell (possible command obfuscation)"), (rf'\btee\b.*["\']?{_SENSITIVE_WRITE_TARGET}', "overwrite system file via tee"), (rf'>>?\s*["\']?{_SENSITIVE_WRITE_TARGET}', "overwrite system file via redirection"), (rf'\btee\b.*["\']?{_PROJECT_SENSITIVE_WRITE_TARGET}["\']?{_WRITE_TARGET_BOUNDARY}', "overwrite project env/config via tee"),