Add .claude/hooks for command auditing, dangerous command blocking, file protection, and auto-formatting; update documentation and configuration to integrate new hooks.
This commit is contained in:
olekhondera
36
.claude/hooks/bash-firewall.sh
Executable file
36
.claude/hooks/bash-firewall.sh
Executable file
@@ -0,0 +1,36 @@
|
||||
#!/bin/bash
|
||||
# Block dangerous bash commands
|
||||
# Event: PreToolUse | Matcher: Bash
|
||||
# Exit 2 = block, Exit 0 = allow
|
||||
|
||||
INPUT=$(cat)
|
||||
COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty')
|
||||
|
||||
if [ -z "$COMMAND" ]; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
BLOCKED_PATTERNS=(
|
||||
'rm\s+-rf\s+/'
|
||||
'rm\s+-rf\s+\*'
|
||||
'rm\s+-rf\s+~'
|
||||
'git\s+push\s+.*--force\s+.*main'
|
||||
'git\s+push\s+.*--force\s+.*master'
|
||||
'git\s+reset\s+--hard'
|
||||
'git\s+clean\s+-fd'
|
||||
'chmod\s+-R\s+777'
|
||||
'mkfs\.'
|
||||
'>\s*/dev/sd'
|
||||
'dd\s+if=.*/dev/'
|
||||
':(){:|:&};:'
|
||||
)
|
||||
|
||||
for pattern in "${BLOCKED_PATTERNS[@]}"; do
|
||||
if echo "$COMMAND" | grep -qE "$pattern"; then
|
||||
echo "Blocked: dangerous command detected — matches pattern '$pattern'" >&2
|
||||
echo "Command was: $COMMAND" >&2
|
||||
exit 2
|
||||
fi
|
||||
done
|
||||
|
||||
exit 0
|
||||
Reference in New Issue
Block a user