37 lines
752 B
Bash
Executable File
37 lines
752 B
Bash
Executable File
#!/bin/bash
|
|
# Block dangerous bash commands
|
|
# Event: PreToolUse | Matcher: Bash
|
|
# Exit 2 = block, Exit 0 = allow
|
|
|
|
INPUT=$(cat)
|
|
COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty')
|
|
|
|
if [ -z "$COMMAND" ]; then
|
|
exit 0
|
|
fi
|
|
|
|
BLOCKED_PATTERNS=(
|
|
'rm\s+-rf\s+/'
|
|
'rm\s+-rf\s+\*'
|
|
'rm\s+-rf\s+~'
|
|
'git\s+push\s+.*--force\s+.*main'
|
|
'git\s+push\s+.*--force\s+.*master'
|
|
'git\s+reset\s+--hard'
|
|
'git\s+clean\s+-fd'
|
|
'chmod\s+-R\s+777'
|
|
'mkfs\.'
|
|
'>\s*/dev/sd'
|
|
'dd\s+if=.*/dev/'
|
|
':(){:|:&};:'
|
|
)
|
|
|
|
for pattern in "${BLOCKED_PATTERNS[@]}"; do
|
|
if echo "$COMMAND" | grep -qE "$pattern"; then
|
|
echo "Blocked: dangerous command detected — matches pattern '$pattern'" >&2
|
|
echo "Command was: $COMMAND" >&2
|
|
exit 2
|
|
fi
|
|
done
|
|
|
|
exit 0
|