harden sandbox escape vectors for bash disabled/restricted modes (#257)

* harden sandbox escape vectors for bash disabled/restricted modes

block git config injection (-c flag as subcommand), dangerous subcommands
(config, submodule, rebase, bisect), code-executing arg flags (--exec,
--extcmd), .gitattributes/.gitmodules writes, and package lifecycle scripts.
add retry logic to test runner for transient failures. add security unit
tests and adhoc attack tests.

Co-authored-by: Cursor <cursoragent@cursor.com>

* only filter subcommands in nobash, remove nobash from ui

* use regex matching

* iterate on tests

* simplify githooks

---------

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
David Blass
2026-02-11 02:02:41 +00:00
committed by pullfrog[bot]
parent f37d02b292
commit bc28c658f2
32 changed files with 2515 additions and 1048 deletions
+5 -4
View File
@@ -40,8 +40,9 @@ type SafeGitSubcommand = "fetch" | "push";
type GitAuthOptions = {
token: string;
cwd?: string;
// restricted bash mode: agents can write to .git/hooks/, so we disable hooks
// to prevent token exfiltration via malicious hooks reading GIT_CONFIG_PARAMETERS
// when true, disables hooks during authenticated git operations to prevent
// token exfiltration via malicious hooks reading GIT_CONFIG_PARAMETERS.
// should be true whenever bash is not "enabled" (both restricted and disabled).
restricted?: boolean;
};
@@ -124,8 +125,8 @@ export function $git(
const gitPath = verifyGitBinary();
const cwd = options.cwd ?? process.cwd();
// SECURITY: disable hooks in restricted mode to prevent token exfiltration
// agents could write malicious .git/hooks/pre-push that reads GIT_CONFIG_PARAMETERS
// SECURITY: disable hooks during authenticated operations to prevent token exfiltration.
// in restricted mode, agents can write .git/hooks/ via bash; in disabled mode, defense-in-depth.
if (options.restricted) {
const hasHooksOverride = args.some(
(arg) => arg.toLowerCase().includes("hookspath") || arg.toLowerCase().includes("hooks")