harden sandbox escape vectors for bash disabled/restricted modes (#257)

* harden sandbox escape vectors for bash disabled/restricted modes

block git config injection (-c flag as subcommand), dangerous subcommands
(config, submodule, rebase, bisect), code-executing arg flags (--exec,
--extcmd), .gitattributes/.gitmodules writes, and package lifecycle scripts.
add retry logic to test runner for transient failures. add security unit
tests and adhoc attack tests.

Co-authored-by: Cursor <cursoragent@cursor.com>

* only filter subcommands in nobash, remove nobash from ui

* use regex matching

* iterate on tests

* simplify githooks

---------

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
David Blass
2026-02-11 02:02:41 +00:00
committed by pullfrog[bot]
parent f37d02b292
commit bc28c658f2
32 changed files with 2515 additions and 1048 deletions
+16 -2
View File
@@ -28,7 +28,8 @@ jobs:
fail-fast: false
matrix:
agent: [claude, codex, cursor, gemini, opencode]
test: [file-read-write, mcpmerge, no-native-file, nobash, restricted, smoke]
test:
[file-read-write, mcpmerge, no-native-file, nobash, restricted, smoke]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
@@ -56,7 +57,20 @@ jobs:
strategy:
fail-fast: false
matrix:
test: [file-traversal, git-permissions, githooks, proc-sandbox, push-disabled, push-enabled, push-restricted, symlink-traversal, timeout, token-exfil]
test:
[
file-traversal,
git-permissions,
githooks,
pkg-json-scripts,
proc-sandbox,
push-disabled,
push-enabled,
push-restricted,
symlink-traversal,
timeout,
token-exfil,
]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}