The server implements three layers of security:
┌──────────────────┬────────────────────────┬───────────────────┐
│ COMMAND SECURITY │ DIRECTORY SECURITY │ SESSION SECURITY │
├──────────────────┼────────────────────────┼───────────────────┤
│ Command allow/ │ Directory whitelist │ Session IDs │
│ block lists │ Runtime approvals │ Persistent perms │
│ Dangerous pattern│ Path normalization │ Auto timeouts │
│ matching │ Symlink resolution │ Desktop mode │
│ Command type │ Subdirectory │ │
│ classification │ inheritance │ │
└──────────────────┴────────────────────────┴───────────────────┘
Every command passes through this pipeline before execution:
- Dangerous pattern check — regex patterns matched against the full command string
- Pipeline/chain splitting —
|,;,&split into segments, each validated independently - Block list check — each command checked against explicitly blocked commands
- Allow list check — each command must appear in read, write, or system lists
- Directory check — target directory must be whitelisted or session-approved
- Command type check — write/system commands require approval
Powerful utilities like awk, sed, find, tar, env, and xargs can be abused to execute arbitrary commands even when shells are blocked. The server detects and blocks these vectors:
| Attack Vector | Example | Defense |
|---|---|---|
awk system() / getline |
awk 'BEGIN{system("id")}' |
Dangerous pattern match |
sed /e execute flag |
sed 's/x/id/e' (any delimiter) |
Delimiter-aware regex |
find -exec with interpreters |
find -exec sh -c 'id' {} + |
Blocks bare and full-path interpreters |
| env launching interpreters | env -i sh -c id |
Flag-aware pattern match |
| xargs launching interpreters | xargs -I{} sh -c id |
Flag-aware pattern match |
| tar command execution | tar --checkpoint-action=exec=id |
Blocks --to-command, -I, --use-compress-program |
| cp/mv to system paths | cp evil /etc/passwd |
Blocks writes to /etc, /boot, /bin, /sbin, /usr/*bin |
| Linker variable injection | env LD_PRELOAD=evil.so cmd |
Blocks LD_PRELOAD, LD_LIBRARY_PATH, DYLD_INSERT_LIBRARIES |
| Direct interpreter invocation | python3 -c '...' |
Shells and scripting languages explicitly blocked |
| Command substitution | $(id), `id` |
Blocked by pattern |
All shells and scripting interpreters are explicitly blocked, not just absent from allowlists:
- Shells:
bash,sh,zsh,ksh,csh,fish - Scripting languages:
python,python2,python3,perl,ruby,node,nodejs,lua,php,tclsh,wish,Rscript - Privilege escalation:
sudo,su - Dangerous utilities:
dd,mkfs,mount,umount,nc,telnet,nmap - Execution primitives:
eval,exec,source,. - PTY tools:
screen,tmux,expect,script
Add regex patterns to dangerous_patterns in your config to block additional vectors:
{
"commands": {
"dangerous_patterns": [
"your-custom-pattern-here"
]
}
}Patterns are matched against the full command string using re.search() before any other validation.
If you discover a security vulnerability, please open an issue on GitHub.