Skip to content

feat(bench): Block destructive bench commands over SSH on production#543

Draft
regdocs wants to merge 1 commit into
developfrom
prevent-bench-commands-on-prod
Draft

feat(bench): Block destructive bench commands over SSH on production#543
regdocs wants to merge 1 commit into
developfrom
prevent-bench-commands-on-prod

Conversation

@regdocs

@regdocs regdocs commented Jun 15, 2026

Copy link
Copy Markdown
Member

Users with SSH access to a bench can run commands like bench --site X drop-site or migrate directly, desyncing the site's state with what Frappe Cloud believes it manages. The bench CLI is the natural chokepoint but is pinned and near-immutable in prod, so we can't patch it there.

Instead, install a bench wrapper on the container that refuses a blocklist of state-mutating subcommands. The wrapper resolves the real bench via command -v, moves it aside to bench.real, and takes its place — wrapping whichever bench the shell runs regardless of PATH order, idempotent across redeploys. Blocking only kicks in when common_site_config marks the bench as Frappe Cloud, so it's inert elsewhere. The blocklist is sent by Press so it can change without rebuilding the image.

This is a guardrail against accidents, not a security boundary: anyone with a shell can still call bench.real directly.

Users with SSH access to a bench can run commands like `bench --site X
drop-site` or `migrate` directly, desyncing the site's state with what
Frappe Cloud believes it manages. The bench CLI is the natural chokepoint
but is pinned and near-immutable in prod, so we can't patch it there.

Instead, install a `bench` wrapper on the container that refuses a
blocklist of state-mutating subcommands. The wrapper resolves the real
bench via `command -v`, moves it aside to `bench.real`, and takes its
place — wrapping whichever bench the shell runs regardless of PATH order,
idempotent across redeploys. Blocking only kicks in when common_site_config
marks the bench as Frappe Cloud, so it's inert elsewhere. The blocklist is
sent by Press so it can change without rebuilding the image.

This is a guardrail against accidents, not a security boundary: anyone
with a shell can still call bench.real directly.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant