[Repo Assist] fix(security): block dangerous stem+wildcard allow patterns in execApprovals.set#255
Merged
shanselman merged 1 commit intomasterfrom May 1, 2026
Conversation
…provals.set
ValidateExecApprovalRules previously checked for dangerous fragments that end
with a trailing space (e.g. "rm ") but missed the case where the wildcard
character replaces the space — e.g. "rm*" passes the "rm " fragment check yet
matches "rm -rf /" via the ^rm.*$ regex, effectively bypassing the intended
block.
Fix: for each dangerous fragment that has trailing whitespace, also reject
patterns containing the trimmed stem followed directly by * or ?.
Before:
{ "pattern": "rm*", "action": "allow" } → accepted, allows "rm -rf /"
{ "pattern": "del*", "action": "allow" } → accepted, allows "del /s /q C:\\"
After:
{ "pattern": "rm*", "action": "allow" } → rejected ("Dangerous allow rule…")
{ "pattern": "del*", "action": "allow" } → rejected
Adds 7 InlineData regression tests covering: rm*, rm?, del*, del?,
remove-item*, shutdown*, net*.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
github-actions
Bot
added
automation
bug
shanselman
deleted the
repo-assist/fix-execapproval-dangerous-wildcard-stem-2026-05-01-bbcfe02565954d97
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 This PR was created by Repo Assist, an automated AI assistant.
Summary
ValidateExecApprovalRuleschecked for dangerous command fragments ending in trailing space (e.g."rm ","del ","net ") but missed the case where the wildcard character replaces the space. A pattern like"rm*"passes the"rm "contains-check yet generates the regex^rm.*$, which matchesrm -rf /, effectively bypassing the intended block.Root Cause
A remote AI agent could call
system.execApprovals.setwith{"pattern":"rm*","action":"allow"}, pass validation, and then runrm -rf /without further approval prompts.Fix
For each dangerous fragment that ends with whitespace, the fix also rejects patterns containing the trimmed stem immediately followed by
*or?:Relationship to PR #247
PR #247 blocks all-wildcard patterns (
"*","**","??"). This PR is complementary — it closes the gap for dangerous-stem + wildcard patterns. Both should be merged together.Trade-offs
"netcat*"is now rejected because it contains"net*"(stem of"net "). This is intentionally conservative — the security policy validation is the right place to err on the side of caution, andnetcatcan always be added as an explicitallowpattern by a human administrator.SetRules()or on-disk policy loading — only the remotesystem.execApprovals.setcommand path is affected.Test Status
✅ New 7-case
[Theory]test:ExecApprovalsSet_RejectsDangerousStemPlusWildcardAllowRulePatterns covered:
rm*,rm?,del*,del?,remove-item*,shutdown*,net*✅ Full
OpenClaw.Shared.Tests— all pass✅ Full
OpenClaw.Tray.Tests— all pass