Skip to content
This repository was archived by the owner on Apr 28, 2026. It is now read-only.

Commit 74eb3ef

Browse files
author
MKAbuMattar
committed
feat: enhance dangerous command patterns for improved safety checks
1 parent f3faccc commit 74eb3ef

1 file changed

Lines changed: 18 additions & 5 deletions

File tree

src/core/exec/executor.ts

Lines changed: 18 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -407,21 +407,25 @@ export function isPotentiallyDangerousCommand(command: string): boolean {
407407
/\bshred\b/, // secure file deletion
408408
/\b:(){:|&};:\b/, // fork bomb
409409
/\bchmod\s+-R\s+(777|775)\b/, // overly permissive
410+
/\bchmod\s+777\b/, // any chmod 777
410411
/\bchown\s+-R\s+root\b/, // ownership takeover
411412
/\bchown\s+-R\s+\S+\s+\/\b/, // chown -R on the root directory
413+
/\bchown\s+-R\b.*\/home\/\S+/, // recursive home ownership change
412414
/\bmount\s+.*\/dev\//, // mounting raw devices
413415
/\bumount\s+.*\/dev\//, // unmount devices
414416
/\b>\s*(\/etc|\/var|\/usr)\//, // destructive redirection to system directories
415417
/\bwget\s+.*\s+\|\s*(bash|sh|zsh|ksh)\b/, // pipe remote script
416418
/\bcurl\s+.*\s+\|\s*(bash|sh|zsh|ksh)\b/, // pipe remote script
417419
/\bsudo\s+.*(rm|dd|mkfs|shutdown|reboot|halt|poweroff)\b/, // sudo with critical commands
420+
/\bsudo\s+-l/, // sudo list (checking for permissions)
418421
/\bshutdown\b/, // shutdown system
419422
/\breboot\b/, // reboot system
420423
/\bhalt\b/, // halt system
421424
/\bpoweroff\b/, // power off
422425
/\bfind\s+.*-delete\b/, // find with -delete action
423426
/\bkillall\b/, // kill all processes
424427
/\bkill\s+-9/, // forcefully kill processes
428+
/\bkill\s+-CONT\b/, // resuming stopped processes forcefully
425429
/\bnetcat\b|\bnc\b/, // netcat tool
426430
/\bdpkg\s+--purge\b/, // dpkg with purge flag
427431
/\bapt-get\s+purge\b/, // apt with purge
@@ -441,9 +445,12 @@ export function isPotentiallyDangerousCommand(command: string): boolean {
441445
/\bnmap\b/, // network scanning tool
442446
/\bwireshark\b/, // packet sniffer
443447
/\biwconfig\b|\bifconfig\b/, // network configuration commands
448+
/\bip\s+route\s+del/, // delete network route
444449
/\bsystemctl\s+stop\b/, // stopping system services
445450
/\bsystemctl\s+disable\b/, // disabling system services
446451
/\bsystemctl\s+reboot\b/, // reboot using systemctl
452+
/\bservice\s+.*stop\b/, // stop services
453+
/\bservice\s+.*restart\b/, // restart services
447454
/\brsync\s+.*--delete-after\b/, // rsync with destructive flags
448455
/\brmdir\s+-p\s+\//, // recursive directory removal from root
449456
/\bsetcap\b/, // set file capabilities
@@ -460,12 +467,11 @@ export function isPotentiallyDangerousCommand(command: string): boolean {
460467
/\bdd\s+if=\/dev\/zero\b/, // zero out disk
461468
/\bmktemp\b.*-d\b/, // temporary directory overwrite
462469
/\blsof\b.*\/dev\//, // listing open devices
463-
/\bkill\s+-CONT\b/, // resuming stopped processes forcefully
464-
/\bchmod\s+777\b/, // any chmod 777
465-
/\bchown\s+-R\b.*\/home\/\S+/, // recursive home ownership change
466-
/\bservice\s+.*stop\b/, // stop services
467-
/\bservice\s+.*restart\b/, // restart services
468470
/\bexport\s+PATH=.*\/bin\b/, // overwrite path to binaries
471+
/\btcpdump\b/, // packet sniffer
472+
/\btshark\b/, // another packet sniffer
473+
/\bifdown\b|\bifup\b/, // bring network interfaces up or down
474+
/\bcat\s+\/etc\/passwd/, // read passwd file
469475

470476
// ===== Windows PowerShell / CMD =====
471477
/\bstop-process\b/i, // stop processes
@@ -508,6 +514,7 @@ export function isPotentiallyDangerousCommand(command: string): boolean {
508514
/\bNew-NetFirewallRule\b/i, // Create new firewall rules
509515
/\bRemove-NetFirewallRule\b/i, // Remove firewall rules
510516
/\bStop-Service\b/i, // Stop a service
517+
/\bStart-Service\b/i, // Start a service
511518
/\bRemove-Service\b/i, // Remove a service
512519
/\bSet-Service\b/i, // Change service properties
513520
/\bGet-CimInstance\s+Win32_Service\s*\|\s*Invoke-CimMethod\s+-MethodName\s+StopService\b/i, // Stop service using CIM
@@ -536,6 +543,12 @@ export function isPotentiallyDangerousCommand(command: string): boolean {
536543
/\bRemove-WindowsFeature\b/i, // removing features
537544
/\bRemove-WindowsCapability\b/i, // dangerous capability removal
538545
/\bClear-Host\b/i, // could hide terminal evidence
546+
/\bSet-ItemProperty\b.*Run/, // add to startup
547+
/\bGet-WmiObject\s+-Class\s+Win32_StartupCommand\b/i, // get startup commands
548+
/\bInvoke-WebRequest\b/i, // web request (could be used for C2)
549+
/\b(wget|curl|iwr)\s+.*\.(exe|ps1|bat|vbs)/i, // download and execute
550+
/\b$env:APPDATA/i, // reference to user's appdata
551+
/\bGet-WmiObject\s+Win32_ComputerSystem\b.*-InvokeMethod\b/i, // WMI system control
539552
];
540553

541554
return dangerousPatterns.some((pattern) => pattern.test(command));

0 commit comments

Comments
 (0)