mirror of
https://github.com/claude-code-best/claude-code.git
synced 2026-06-18 06:15:51 +00:00
2fb1c9dcd8
* feat: 第一版大重构 * fix: 修复类型问题 * chore: 更新版本到 1.3.2 * Add brave as alternative WebSearchTool * fix: 修正顺序 * fix: 修复对穷鬼模式的 auto dream 和 session memory 越过 * feat: 穷鬼模式去除 session-summary * feat: 创建 builtin-tools 包,搬运所有工具实现 将 src/tools/ 下的全部 60 个工具目录迁移至 packages/builtin-tools/src/tools/, 内部导入路径已更新为 src/ alias 模式。 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * refactor: 更新 src/ 中所有工具引用至 builtin-tools 包,删除 src/tools/ - src/tools.ts 及 178 个 src/ 文件的 import 路径从 ./tools/ 改为 builtin-tools/tools/ - 删除 src/tools/ 整个目录(已迁移至 packages/builtin-tools/) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * chore: 添加 builtin-tools 路径别名至 tsconfig,更新 bun.lock - tsconfig.json 新增 builtin-tools/* 和 builtin-tools 路径映射 - 新增 packages/builtin-tools/src 至 include Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * refactor: 为 builtin-tools、mcp-client、agent-tools 添加 @claude-code-best 作用域前缀 所有包名及 import 路径统一添加 @claude-code-best/ 前缀: - builtin-tools → @claude-code-best/builtin-tools - mcp-client → @claude-code-best/mcp-client - agent-tools → @claude-code-best/agent-tools Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: 修复 node 环境没有 bun 的问题 --------- Co-authored-by: Eric-Guo <eric.guocz@gmail.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
266 lines
8.4 KiB
TypeScript
266 lines
8.4 KiB
TypeScript
import type { z } from 'zod/v4'
|
|
import {
|
|
isUnsafeCompoundCommand_DEPRECATED,
|
|
splitCommand_DEPRECATED,
|
|
} from 'src/utils/bash/commands.js'
|
|
import {
|
|
buildParsedCommandFromRoot,
|
|
type IParsedCommand,
|
|
ParsedCommand,
|
|
} from 'src/utils/bash/ParsedCommand.js'
|
|
import { type Node, PARSE_ABORTED } from 'src/utils/bash/parser.js'
|
|
import type { PermissionResult } from 'src/utils/permissions/PermissionResult.js'
|
|
import type { PermissionUpdate } from 'src/utils/permissions/PermissionUpdateSchema.js'
|
|
import { createPermissionRequestMessage } from 'src/utils/permissions/permissions.js'
|
|
import { BashTool } from './BashTool.js'
|
|
import { bashCommandIsSafeAsync_DEPRECATED } from './bashSecurity.js'
|
|
|
|
export type CommandIdentityCheckers = {
|
|
isNormalizedCdCommand: (command: string) => boolean
|
|
isNormalizedGitCommand: (command: string) => boolean
|
|
}
|
|
|
|
async function segmentedCommandPermissionResult(
|
|
input: z.infer<typeof BashTool.inputSchema>,
|
|
segments: string[],
|
|
bashToolHasPermissionFn: (
|
|
input: z.infer<typeof BashTool.inputSchema>,
|
|
) => Promise<PermissionResult>,
|
|
checkers: CommandIdentityCheckers,
|
|
): Promise<PermissionResult> {
|
|
// Check for multiple cd commands across all segments
|
|
const cdCommands = segments.filter(segment => {
|
|
const trimmed = segment.trim()
|
|
return checkers.isNormalizedCdCommand(trimmed)
|
|
})
|
|
if (cdCommands.length > 1) {
|
|
const decisionReason = {
|
|
type: 'other' as const,
|
|
reason:
|
|
'Multiple directory changes in one command require approval for clarity',
|
|
}
|
|
return {
|
|
behavior: 'ask',
|
|
decisionReason,
|
|
message: createPermissionRequestMessage(BashTool.name, decisionReason),
|
|
}
|
|
}
|
|
|
|
// SECURITY: Check for cd+git across pipe segments to prevent bare repo fsmonitor bypass.
|
|
// When cd and git are in different pipe segments (e.g., "cd sub && echo | git status"),
|
|
// each segment is checked independently and neither triggers the cd+git check in
|
|
// bashPermissions.ts. We must detect this cross-segment pattern here.
|
|
// Each pipe segment can itself be a compound command (e.g., "cd sub && echo"),
|
|
// so we split each segment into subcommands before checking.
|
|
{
|
|
let hasCd = false
|
|
let hasGit = false
|
|
for (const segment of segments) {
|
|
const subcommands = splitCommand_DEPRECATED(segment)
|
|
for (const sub of subcommands) {
|
|
const trimmed = sub.trim()
|
|
if (checkers.isNormalizedCdCommand(trimmed)) {
|
|
hasCd = true
|
|
}
|
|
if (checkers.isNormalizedGitCommand(trimmed)) {
|
|
hasGit = true
|
|
}
|
|
}
|
|
}
|
|
if (hasCd && hasGit) {
|
|
const decisionReason = {
|
|
type: 'other' as const,
|
|
reason:
|
|
'Compound commands with cd and git require approval to prevent bare repository attacks',
|
|
}
|
|
return {
|
|
behavior: 'ask',
|
|
decisionReason,
|
|
message: createPermissionRequestMessage(BashTool.name, decisionReason),
|
|
}
|
|
}
|
|
}
|
|
|
|
const segmentResults = new Map<string, PermissionResult>()
|
|
|
|
// Check each segment through the full permission system
|
|
for (const segment of segments) {
|
|
const trimmedSegment = segment.trim()
|
|
if (!trimmedSegment) continue // Skip empty segments
|
|
|
|
const segmentResult = await bashToolHasPermissionFn({
|
|
...input,
|
|
command: trimmedSegment,
|
|
})
|
|
segmentResults.set(trimmedSegment, segmentResult)
|
|
}
|
|
|
|
// Check if any segment is denied (after evaluating all)
|
|
const deniedSegment = Array.from(segmentResults.entries()).find(
|
|
([, result]) => result.behavior === 'deny',
|
|
)
|
|
|
|
if (deniedSegment) {
|
|
const [segmentCommand, segmentResult] = deniedSegment
|
|
return {
|
|
behavior: 'deny',
|
|
message:
|
|
segmentResult.behavior === 'deny'
|
|
? segmentResult.message
|
|
: `Permission denied for: ${segmentCommand}`,
|
|
decisionReason: {
|
|
type: 'subcommandResults',
|
|
reasons: segmentResults,
|
|
},
|
|
}
|
|
}
|
|
|
|
const allAllowed = Array.from(segmentResults.values()).every(
|
|
result => result.behavior === 'allow',
|
|
)
|
|
|
|
if (allAllowed) {
|
|
return {
|
|
behavior: 'allow',
|
|
updatedInput: input,
|
|
decisionReason: {
|
|
type: 'subcommandResults',
|
|
reasons: segmentResults,
|
|
},
|
|
}
|
|
}
|
|
|
|
// Collect suggestions from segments that need approval
|
|
const suggestions: PermissionUpdate[] = []
|
|
for (const [, result] of segmentResults) {
|
|
if (
|
|
result.behavior !== 'allow' &&
|
|
'suggestions' in result &&
|
|
result.suggestions
|
|
) {
|
|
suggestions.push(...result.suggestions)
|
|
}
|
|
}
|
|
|
|
const decisionReason = {
|
|
type: 'subcommandResults' as const,
|
|
reasons: segmentResults,
|
|
}
|
|
|
|
return {
|
|
behavior: 'ask',
|
|
message: createPermissionRequestMessage(BashTool.name, decisionReason),
|
|
decisionReason,
|
|
suggestions: suggestions.length > 0 ? suggestions : undefined,
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Builds a command segment, stripping output redirections to avoid
|
|
* treating filenames as commands in permission checking.
|
|
* Uses ParsedCommand to preserve original quoting.
|
|
*/
|
|
async function buildSegmentWithoutRedirections(
|
|
segmentCommand: string,
|
|
): Promise<string> {
|
|
// Fast path: skip parsing if no redirection operators present
|
|
if (!segmentCommand.includes('>')) {
|
|
return segmentCommand
|
|
}
|
|
|
|
// Use ParsedCommand to strip redirections while preserving quotes
|
|
const parsed = await ParsedCommand.parse(segmentCommand)
|
|
return parsed?.withoutOutputRedirections() ?? segmentCommand
|
|
}
|
|
|
|
/**
|
|
* Wrapper that resolves an IParsedCommand (from a pre-parsed AST root if
|
|
* available, else via ParsedCommand.parse) and delegates to
|
|
* bashToolCheckCommandOperatorPermissions.
|
|
*/
|
|
export async function checkCommandOperatorPermissions(
|
|
input: z.infer<typeof BashTool.inputSchema>,
|
|
bashToolHasPermissionFn: (
|
|
input: z.infer<typeof BashTool.inputSchema>,
|
|
) => Promise<PermissionResult>,
|
|
checkers: CommandIdentityCheckers,
|
|
astRoot: Node | null | typeof PARSE_ABORTED,
|
|
): Promise<PermissionResult> {
|
|
const parsed =
|
|
astRoot && astRoot !== PARSE_ABORTED
|
|
? buildParsedCommandFromRoot(input.command, astRoot)
|
|
: await ParsedCommand.parse(input.command)
|
|
if (!parsed) {
|
|
return { behavior: 'passthrough', message: 'Failed to parse command' }
|
|
}
|
|
return bashToolCheckCommandOperatorPermissions(
|
|
input,
|
|
bashToolHasPermissionFn,
|
|
checkers,
|
|
parsed,
|
|
)
|
|
}
|
|
|
|
/**
|
|
* Checks if the command has special operators that require behavior beyond
|
|
* simple subcommand checking.
|
|
*/
|
|
async function bashToolCheckCommandOperatorPermissions(
|
|
input: z.infer<typeof BashTool.inputSchema>,
|
|
bashToolHasPermissionFn: (
|
|
input: z.infer<typeof BashTool.inputSchema>,
|
|
) => Promise<PermissionResult>,
|
|
checkers: CommandIdentityCheckers,
|
|
parsed: IParsedCommand,
|
|
): Promise<PermissionResult> {
|
|
// 1. Check for unsafe compound commands (subshells, command groups).
|
|
const tsAnalysis = parsed.getTreeSitterAnalysis()
|
|
const isUnsafeCompound = tsAnalysis
|
|
? tsAnalysis.compoundStructure.hasSubshell ||
|
|
tsAnalysis.compoundStructure.hasCommandGroup
|
|
: isUnsafeCompoundCommand_DEPRECATED(input.command)
|
|
if (isUnsafeCompound) {
|
|
// This command contains an operator like `>` that we don't support as a subcommand separator
|
|
// Check if bashCommandIsSafe_DEPRECATED has a more specific message
|
|
const safetyResult = await bashCommandIsSafeAsync_DEPRECATED(input.command)
|
|
|
|
const decisionReason = {
|
|
type: 'other' as const,
|
|
reason:
|
|
safetyResult.behavior === 'ask' && safetyResult.message
|
|
? safetyResult.message
|
|
: 'This command uses shell operators that require approval for safety',
|
|
}
|
|
return {
|
|
behavior: 'ask',
|
|
message: createPermissionRequestMessage(BashTool.name, decisionReason),
|
|
decisionReason,
|
|
// This is an unsafe compound command, so we don't want to suggest rules since we wont be able to allow it
|
|
}
|
|
}
|
|
|
|
// 2. Check for piped commands using ParsedCommand (preserves quotes)
|
|
const pipeSegments = parsed.getPipeSegments()
|
|
|
|
// If no pipes (single segment), let normal flow handle it
|
|
if (pipeSegments.length <= 1) {
|
|
return {
|
|
behavior: 'passthrough',
|
|
message: 'No pipes found in command',
|
|
}
|
|
}
|
|
|
|
// Strip output redirections from each segment while preserving quotes
|
|
const segments = await Promise.all(
|
|
pipeSegments.map(segment => buildSegmentWithoutRedirections(segment)),
|
|
)
|
|
|
|
// Handle as segmented command
|
|
return segmentedCommandPermissionResult(
|
|
input,
|
|
segments,
|
|
bashToolHasPermissionFn,
|
|
checkers,
|
|
)
|
|
}
|