fix(core): 修复 Plan Agent 通过 heredoc 绕过写入限制的安全漏洞

- 重排 bash 权限规则顺序，deny 规则置于 allow 规则之前 - 添加 heredoc 重定向检测规则 (* << *) - 新增 checkRedirectInRawCommand 预检函数，在 tree-sitter 解析前检测重定向 - 禁用 Plan Agent 的 tool_search 工具，防止动态发现写入工具 - 添加更多危险命令: ln, install, truncate, dd, tee
2025-12-16 11:23:02 +08:00
parent e698ec2a64
commit 70394ed06c
2 changed files with 89 additions and 32 deletions
@@ -37,6 +37,8 @@ export const planAgent: Omit<AgentInfo, 'name'> = {
      'checkpoint_create',
      'checkpoint_restore',
      'undo',
+      // 工具发现（Plan 模式不应动态发现新工具）
+      'tool_search',
    ],
  },
  permission: {
@@ -49,6 +51,52 @@ export const planAgent: Omit<AgentInfo, 'name'> = {
    bash: {
      enabled: true,
      rules: [
+        // ============================================================
+        // 重要：deny 规则必须放在 allow 规则之前，确保优先匹配！
+        // ============================================================
+
+        // ============ 危险命令 - 拒绝 ============
+        { pattern: 'rm *', action: 'deny' },
+        { pattern: 'rmdir *', action: 'deny' },
+        { pattern: 'mv *', action: 'deny' },
+        { pattern: 'cp *', action: 'deny' },
+        { pattern: 'mkdir *', action: 'deny' },
+        { pattern: 'touch *', action: 'deny' },
+        { pattern: 'chmod *', action: 'deny' },
+        { pattern: 'chown *', action: 'deny' },
+        { pattern: 'sudo *', action: 'deny' },
+        { pattern: 'su *', action: 'deny' },
+        { pattern: 'ln *', action: 'deny' },
+        { pattern: 'install *', action: 'deny' },
+        { pattern: 'truncate *', action: 'deny' },
+        { pattern: 'dd *', action: 'deny' },
+        { pattern: 'tee *', action: 'deny' },
+
+        // ============ 重定向操作 - 拒绝（必须在 cat/echo 等允许规则之前）============
+        { pattern: '* > *', action: 'deny' },
+        { pattern: '* >> *', action: 'deny' },
+        { pattern: '* << *', action: 'deny' }, // heredoc 重定向
+
+        // ============ Git 写操作 - 拒绝 ============
+        { pattern: 'git add *', action: 'deny' },
+        { pattern: 'git commit *', action: 'deny' },
+        { pattern: 'git push *', action: 'deny' },
+        { pattern: 'git pull *', action: 'deny' },
+        { pattern: 'git checkout *', action: 'deny' },
+        { pattern: 'git reset *', action: 'deny' },
+        { pattern: 'git rebase *', action: 'deny' },
+        { pattern: 'git merge *', action: 'deny' },
+        { pattern: 'git stash *', action: 'deny' },
+        { pattern: 'git clean *', action: 'deny' },
+
+        // ============ find 危险操作 - 拒绝 ============
+        { pattern: 'find * -delete*', action: 'deny' },
+        { pattern: 'find * -exec*', action: 'deny' },
+
+        // ============================================================
+        // 以下为只读操作的 allow 规则
+        // ============================================================
+
        // ============ 文件查看 - 允许 ============
        { pattern: 'ls', action: 'allow' },
        { pattern: 'ls *', action: 'allow' },
@@ -100,38 +148,6 @@ export const planAgent: Omit<AgentInfo, 'name'> = {
        { pattern: 'git blame *', action: 'allow' },
        { pattern: 'git ls-files*', action: 'allow' },
        { pattern: 'git rev-parse *', action: 'allow' },
-
-        // ============ 危险命令 - 拒绝 ============
-        { pattern: 'rm *', action: 'deny' },
-        { pattern: 'rmdir *', action: 'deny' },
-        { pattern: 'mv *', action: 'deny' },
-        { pattern: 'cp *', action: 'deny' },
-        { pattern: 'mkdir *', action: 'deny' },
-        { pattern: 'touch *', action: 'deny' },
-        { pattern: 'chmod *', action: 'deny' },
-        { pattern: 'chown *', action: 'deny' },
-        { pattern: 'sudo *', action: 'deny' },
-        { pattern: 'su *', action: 'deny' },
-
-        // ============ Git 写操作 - 拒绝 ============
-        { pattern: 'git add *', action: 'deny' },
-        { pattern: 'git commit *', action: 'deny' },
-        { pattern: 'git push *', action: 'deny' },
-        { pattern: 'git pull *', action: 'deny' },
-        { pattern: 'git checkout *', action: 'deny' },
-        { pattern: 'git reset *', action: 'deny' },
-        { pattern: 'git rebase *', action: 'deny' },
-        { pattern: 'git merge *', action: 'deny' },
-        { pattern: 'git stash *', action: 'deny' },
-        { pattern: 'git clean *', action: 'deny' },
-
-        // ============ find 危险操作 - 拒绝 ============
-        { pattern: 'find * -delete*', action: 'deny' },
-        { pattern: 'find * -exec*', action: 'deny' },
-
-        // ============ 重定向操作 - 拒绝 ============
-        { pattern: '* > *', action: 'deny' },
-        { pattern: '* >> *', action: 'deny' },
      ],
      default: 'ask', // 其他命令询问用户
    },