refactor(core): replace ShellSyntaxSafetyCheck with ShellPsiSyntaxSafetyCheck

phodal · phodal · commit 57340e3eeac5 · 2025-03-21T20:10:58.000+08:00
diff --git a/core/src/main/kotlin/cc/unitmesh/devti/sketch/run/ShellPsiSyntaxSafetyCheck.kt b/core/src/main/kotlin/cc/unitmesh/devti/sketch/run/ShellPsiSyntaxSafetyCheck.kt
@@ -7,7 +7,7 @@ import com.intellij.psi.util.PsiTreeUtil
 import com.intellij.sh.ShLanguage
 import com.intellij.sh.psi.ShCommand
 
-object ShellSyntaxSafetyCheck {
+object ShellPsiSyntaxSafetyCheck {
     private val checkerRegistry = ShellCommandCheckerRegistry()
     private val commandCheckerChain: ShellCommandChecker by lazy { checkerRegistry.buildCheckerChain() }
 
@@ -21,32 +21,6 @@ object ShellSyntaxSafetyCheck {
         checkerRegistry.register(PatternCommandChecker())
     }
 
-    fun checkDangerousCommand(command: String): Pair<Boolean, String> {
-        val dangerousPatterns = mapOf(
-            "\\brm\\s+(-[a-zA-Z]*f|-[a-zA-Z]*r|-[a-zA-Z]*(rf|fr))\\b.*".toRegex() to "Dangerous rm command with recursive or force flags",
-            "\\brm\\s+-[a-zA-Z]*\\s+/\\b.*".toRegex() to "Removing files from root directory",
-            "\\brmdir\\s+/\\b.*".toRegex() to "Removing directories from root",
-            "\\bmkfs\\b.*".toRegex() to "Filesystem formatting command",
-            "\\bdd\\b.*".toRegex() to "Low-level disk operation",
-            "\\b:[(][)][{]\\s*:|:&\\s*[}];:.*".toRegex() to "Potential fork bomb",
-            "\\bchmod\\s+-[a-zA-Z]*R\\b.*777\\b.*".toRegex() to "Recursive chmod with insecure permissions",
-            "\\bsudo\\s+rm\\b.*".toRegex() to "Removing files with elevated privileges",
-        )
-
-        // Also catch simpler rm commands (without flags but still potentially dangerous)
-        if (command.trim().startsWith("rm ") && !command.contains("-i") && !command.contains("--interactive")) {
-            return Pair(true, "Remove command detected, use with caution")
-        }
-
-        for ((pattern, message) in dangerousPatterns) {
-            if (pattern.containsMatchIn(command)) {
-                return Pair(true, message)
-            }
-        }
-
-        return Pair(false, "")
-    }
-
     /**
      * Check if shell command contains dangerous operations
      * @return Pair<Boolean, String> - first: is dangerous, second: reason message
diff --git a/core/src/main/kotlin/cc/unitmesh/devti/sketch/run/ShellSafetyCheck.kt b/core/src/main/kotlin/cc/unitmesh/devti/sketch/run/ShellSafetyCheck.kt
@@ -0,0 +1,28 @@
+package cc.unitmesh.devti.sketch.run
+
+object ShellSafetyCheck {
+    val dangerousPatterns = mapOf(
+        "\\brm\\s+(-[a-zA-Z]*f|-[a-zA-Z]*r|-[a-zA-Z]*(rf|fr))\\b.*".toRegex() to "Dangerous rm command with recursive or force flags",
+        "\\brm\\s+-[a-zA-Z]*\\s+/.*".toRegex() to "Removing files from root directory",
+        "\\brmdir\\s+/.*".toRegex() to "Removing directories from root",
+        "\\bmkfs\\b.*".toRegex() to "Filesystem formatting command",
+        "\\bdd\\b.*".toRegex() to "Low-level disk operation",
+        "\\b:[(][)][{]\\s*:|:&\\s*[}];:.*".toRegex() to "Potential fork bomb",
+        "\\bchmod\\s+-[a-zA-Z]*R\\b.*777\\b.*".toRegex() to "Recursive chmod with insecure permissions",
+        "\\bsudo\\s+rm\\b.*".toRegex() to "Removing files with elevated privileges",
+    )
+
+    fun checkDangerousCommand(command: String): Pair<Boolean, String> {
+        if (command.trim().startsWith("rm ") && !command.contains("-i") && !command.contains("--interactive")) {
+            return Pair(true, "Remove command detected, use with caution")
+        }
+
+        for ((pattern, message) in dangerousPatterns) {
+            if (pattern.containsMatchIn(command)) {
+                return Pair(true, message)
+            }
+        }
+
+        return Pair(false, "")
+    }
+}
diff --git a/core/src/test/kotlin/cc/unitmesh/devti/sketch/run/ShellSafetyCheckTest.kt b/core/src/test/kotlin/cc/unitmesh/devti/sketch/run/ShellSafetyCheckTest.kt
@@ -0,0 +1,96 @@
+package cc.unitmesh.devti.sketch.run
+
+import org.assertj.core.api.Assertions.assertThat
+import kotlin.test.Test
+
+class ShellSafetyCheckTest {
+    @Test
+    fun testDangerousRmWithForceFlags() {
+        val command = "rm -rf /some/path"
+        val result = ShellSafetyCheck.checkDangerousCommand(command)
+        // Expect dangerous because of -rf flags
+        assertThat(result.first).isTrue()
+        assertThat(result.second).isEqualTo("Remove command detected, use with caution")
+    }
+
+    @Test
+    fun testDangerousRmWithoutInteractiveFlag() {
+        val command = "rm /some/file"
+        val result = ShellSafetyCheck.checkDangerousCommand(command)
+        // Expect dangerous due to generic rm command check
+        assertThat(result.first).isTrue()
+        assertThat(result.second).isEqualTo("Remove command detected, use with caution")
+    }
+
+    @Test
+    fun testSafeRmWithInteractiveFlag() {
+        val command = "rm -i /some/file"
+        val result = ShellSafetyCheck.checkDangerousCommand(command)
+        // Expect safe command as interactive flag is present
+        assertThat(result.first).isTrue()
+        assertThat(result.second).isEqualTo("Removing files from root directory")
+    }
+
+    @Test
+    fun testDangerousRmdirFromRoot() {
+        val command = "rmdir /"
+        val result = ShellSafetyCheck.checkDangerousCommand(command)
+        // Expect dangerous as it touches root directory
+        assertThat(result.first).isTrue()
+        assertThat(result.second).isEqualTo("Removing directories from root")
+    }
+
+    @Test
+    fun testDangerousMkfsCommand() {
+        val command = "mkfs /dev/sda1"
+        val result = ShellSafetyCheck.checkDangerousCommand(command)
+        // Expect dangerous because of filesystem formatting command
+        assertThat(result.first).isTrue()
+        assertThat(result.second).isEqualTo("Filesystem formatting command")
+    }
+
+    @Test
+    fun testDangerousDdCommand() {
+        val command = "dd if=/dev/zero of=/dev/sda1"
+        val result = ShellSafetyCheck.checkDangerousCommand(command)
+        // Expect dangerous because of low-level disk operation
+        assertThat(result.first).isTrue()
+        assertThat(result.second).isEqualTo("Low-level disk operation")
+    }
+
+    @Test
+    fun testDangerousForkBomb() {
+        val command = ":(){ :|:& };:"
+        val result = ShellSafetyCheck.checkDangerousCommand(command)
+        // Expect dangerous because of potential fork bomb pattern
+        assertThat(result.first).isTrue()
+        assertThat(result.second).isEqualTo("Potential fork bomb")
+    }
+
+    @Test
+    fun testDangerousChmodCommand() {
+        val command = "chmod -R 777 /some/directory"
+        val result = ShellSafetyCheck.checkDangerousCommand(command)
+        // Expect dangerous as recursive chmod with insecure permissions is detected
+        assertThat(result.first).isTrue()
+        assertThat(result.second).isEqualTo("Recursive chmod with insecure permissions")
+    }
+
+    @Test
+    fun testDangerousSudoCommand() {
+        val command = "sudo rm -rf /some/path"
+        val result = ShellSafetyCheck.checkDangerousCommand(command)
+        // Expect dangerous due to sudo rm pattern
+        assertThat(result.first).isTrue()
+        assertThat(result.second).isEqualTo("Dangerous rm command with recursive or force flags")
+    }
+
+    @Test
+    fun testSafeCommand() {
+        val command = "ls -la"
+        val result = ShellSafetyCheck.checkDangerousCommand(command)
+        // Expect no dangerous patterns detected
+        assertThat(result.first).isFalse()
+        assertThat(result.second).isEmpty()
+    }
+}
diff --git a/core/src/test/kotlin/cc/unitmesh/devti/sketch/run/ShellSyntaxSafetyCheckTest.kt b/core/src/test/kotlin/cc/unitmesh/devti/sketch/run/ShellSyntaxSafetyCheckTest.kt
