PinndZddlmZddlmZmZddlmZddlm Z ddl m Z m Z ddl mZmZddlmZmZmZdd lmZmZehd ZeGd d Zd dd2dZd dd3dZd dd3dZd dd4dZd dd5dZd6d!Zd7d"Z d8d$Z!d9d&Z"d dd4d'Z#d dd4d(Z$d dd:d*Z%d;d,Z&dz Centralized AST analyzer for Dippy. Single recursive walk of bash AST with consistent decision-making. Unknown constructs default to ask. Decisions bubble up (deny > ask > allow). ) annotations) dataclassfield)Path)Literal)Configmatch_redirect) SIMPLE_SAFEWRAPPER_COMMANDS) get_handlerget_descriptionHandlerContext)parse ParseError> /dev/null /dev/stdin /dev/stdout-cReZdZUdZded<ded<eeZded<d d Zd S) Decisionz Result of analyzing an AST node.zLiteral['allow', 'ask', 'deny']actionstrreason)default_factoryzlist['Decision']childrenreturnc(d|jd|jdS)Nz Decision(, )rr)selfs 4/root/projects/gits/Dippy/src/dippy/core/analyzer.py__repr__zDecision.__repr__ s<4;<zanalyze..@s*SSSTtVS@@@SSSr$)striprrrmessage_combine)r/r0r1r.nodese decisionss ``` r"analyzerC$s mmooG 0///<g <<<:qy::;;;;;;;;< 0///SSSSSSUSSSI I  s; A'A"A'"A'c `t|dd}|dkrt|S|dkrbfd|jD}t|}|jdkr1d|D}t dd || S|S|d krd |jD}|r)s't|d } | rt| fd|D}t|}|jdkr1d|D}t dd || S|S|dkrt|j g}| t|j t|dr2|jr+| t|j|t#|t|S|dvret|j t|jg}|t#|t|S|dkrt|jg}t|dgD](} |t'| )|t#|t|S|dkrt|jg}|j|j|jfD]*} | r&|t/| +|t#|t|S|dkrt|jg}t|dgD](} |t'| )|t#|t|S|dkrg}t|dr2|jr+|t'|j|jD]D} t| dr2| jr+| t| jE|t#||rt|nt ddS|dkrt|jS|dkrNt|jg}|t#|t|S|dkrNt|jg}|t#|t|S|dkrt|jS|dkrt|jS|d krt|jS|d!krg}t|dr2|jr+|t9|j|t#||rt|nt dd"S|d#krg}t;|jD]n} t| j}|jdkr4| t |jd$|j|g Y| |o|t#||rt|nt dd%S|d&krt dd&S|d'krt dd'St d(d)|S)*z&Recursively analyze a single AST node.kindNr/r-pipelinec6g|]}t|Sr7r8)r:cmdr0r1r.s r"r<z!_analyze_node..Ms7   ?BM#vs6 : : :   r$allowcg|] }|j Sr,rr:ds r"r<z!_analyze_node..R333Aqx333r$rrr+c<g|]}t|dddk|S)rENoperator)getattr)r:ps r"r<z!_analyze_node..Xs.QQQq'!VT*B*Bj*P*P*P*P*Pr$rc6g|]}t|Sr7r8)r:rSr0 effective_cwdr.s r"r<z!_analyze_node.._s7   GHM!V]6 B B B   r$cg|] }|j Sr,rKrLs r"r<z!_analyze_node..drNr$if else_body)whileuntilforwordsz for-arithselectcasewordbodyz empty casefunctionsubshellz brace-grouptimenegationcoprocz cond-expr conditionalz arith-cmdzarithmetic cmdsub: arithmeticcommentemptyr4zunrecognized construct: ) rR_analyze_commandcommandsr?rrjoinparts_extract_cd_target_resolve_cd_targetr9 conditionappend then_bodyhasattrrXextend_analyze_redirectsr`_analyze_word_partsinitcondincr_analyze_string_cmdsubsr_patternsrFr/_analyze_cond_node_find_cmdsubs_in_arith expressionr)r;r0r1r.rErBresultreasonsrm cd_targetr_exprpatterncmdsubinner_decisionrUs ``` @r"r9r9Ds 4 & &D yfc&AAAA         FJm   )$$ =G # #33333GGTYYw%7%7)LLL L QQDJQQQ  C C*5844I C 29c B B       LQ   )$$ =G # #33333GGTYYw%7%7)LLL L "4>63vNNNO t~vs6RRRSSS 4 % % X$. X   ]4>63vVVV W W W+D&#fMMMNNN """ # # # $.&#f E E E $)VS @ @ @  +D&#fMMMNNN """ "49fc&IIIJ D'2.. T TD   0vs6RRR S S S S+D&#fMMMNNN """   "49fc&IIIJ Y 495  D   +D&#fMMM +D&#fMMMNNN """   "49fc&IIIJ D'2.. T TD   0vs6RRR S S S S+D&#fMMMNNN """  4  YTY Y   0FCPVWWW X X X}  Gw'' GL   !',FKKK +D&#fMMMNNN&/Tx """Xg|5T5TT   TYFCCCC   "49fc&IIIJ +D&#fMMMNNN """   "49fc&IIIJ +D&#fMMMNNN """ T]FCGGGG   T]FCGGGG   T\63vFFFF    4  XTY X   / 63vVVV W W W+D&#fMMMNNN&/Ux """Xg}5U5UU    ,T_== 1 1F*6>63vVVVN$//  &-En.CEE"0!1  0000+D&#fMMMNNN&/Tx """Xg|5T5TT   +++ )))@$@@AAAr$c g}d|jD}d}|t|krbd||vrX||ds=|dz }|t|kr%d||vr||d=|t|kr||nd}t|du}|tv} t |jD]j\} } t | dg} t | d d} t| dkoDt | dd dd ko)| d o| d }| D]}t |d d}|dkrqt|j |||}|j dkr8t |dd}t|j d|d|j |gccS| ||d krt|j |||}|j dkr$t|j d|j |gccS| ||r|r| s| |kr}t|}|t||d}|j dkr9t!| d}tdd|ccSx|dkrht |dd}|rUt%|t&r@t)||||}|D]}|j dkr|cccS||lt-||||}|D]}|j dkr|cS|||stddS|dvr2| tddt/|St1||||}| |t/|S)zAnalyze a simple command node.c,g|]}t|Sr,)_get_word_value)r:ws r"r<z$_analyze_command..s 4 4 4A_Q   4 4 4r$r=rNrmvaluerEr$(rprocsubr-rI direction?zprocess substitution (...): rOzcommand substitution: z$()r4zcmdsub injection risk: paramargr5)[testzconditional test)r\len startswithr r enumeraterRendswithr9r/rrrrqclassifyrrr= isinstancerrzrtrur?_analyze_simple_command)r;r0r1r.rBr\base_idxbase has_handleris_simple_safepositionr_rm word_valueis_pure_cmdsubpart part_kindrrhandler outer_result inner_cmdrparam_decisionspdredirect_decisionsrd cmd_decisions r"rjrjs I 5 4 4 4 4EH3u:: 5? " "h**3// # A  3u:: 5? " "h**3// #'U335??Dd##4/K[(N$DJ//9696$gr**T7B//  JJ!O )a&$//8; )%%d++ )##C(( . 6. 6Dfd33II%%!.t|VSQW!X!X!X!(G33 'k3 ? ?I#&-Y YY.BWYY"0!1   0000h&&!.t|VSQW!X!X!X!(G33#&-H1FHH"0!1   000# V# V+ V!8++)$//G#*#3#3N5CS4T4T#U#UL#*g55$3D$9$9$?$?$F$F '/T/T/TUUUUUUUg%%dE4006:c3//6&=VS'''O.&&9//#%IIIIIII0$$_555]. 6b,D&#fMMM  9  III  '((( 2111 }'+=>>??? """*5&#fMMML \""" I  r$list[Decision]c g}t|ddpg}|D]}t|dd}|dkrKt|dds9t|dd}|r&|t|||| et|d d} |jrt |jnd} |jr-t |j||| } || |r| t vs| d r| d vrt| ||} | r| j d kr(| td d| 3| j dkr9| j p| j } | tdd| d| w| j p| j } | tdd| d| | tdd| |S)zAnalyze redirects on a node. redirectsNrEheredocquotedTcontentrr-op&)>z>>z&>z&>>z2>z2>>rIz redirect to deny: r4)rRrtrztargetrrvSAFE_REDIRECT_TARGETSrr decisionrqrr>r)r;r0r1r.rBrrr_kindrrrtarget_cmdsub_decisionsredirect_matchmsgs r"ruruHslIk4006BI ,K,KFD)) Y  1h-- !!Y33$$/VTTT  Qb ! !./h>***B 8 6&9&#f''' #   4 5 5 5    * * *f.?.?.D.D *  6 6 6+FFC@@N K!*g55$$Xg7Nf7N7N%O%OPPPP#,66(0JN4JC$$Xf6TV6T6Ts6T6T%U%UVVVV(0JN4JC$$Xe5SF5S5Sc5S5S%T%TUUUU  %1H1H1H!I!IJJJ r$r\ list[str]c.|stddSd}|t|krbd||vrX||ds=|dz }|t|kr%d||vr||d=|t|krtddS||}||d}dd lm}m}|| } || ||| } | rw| jdkrtd|d | jd S| jdkr#| jp| j} td|d| S| jp| j} td|d| S|tvrt|dkr|dkr-t|dkr|ddvrtddSd} | t|krw|| } | s(| dd r| dz } ]| dr | dkr| dz } ~| dkr| dz } | t|krt|| d||| Std|S|tvrtd|St|rtd|dSt|}|r7|t#|}|jpt'||}|jr|s|jD]}|t*vr t-|||}|ra|jdkr%|jp|j} td|d| cS|jdkr%|jp|j} td|d| cStd|cS|jdkrtd|S|jdkr&|jrt3|j|||j }|Std|Stdt'||S)z)Analyze a simple command (list of words).rIrirrrrzenv assignmentN) SimpleCommand match_command)r\r-z (rrrr4r/)z-vz-Vz command -v.rz--z --helpdelegate)rrrdippy.core.configrrrrr>r isdigitreplacerr _is_version_or_helpr rr descriptionr redirect_targetsrr r inner_commandrCr.)r\r0r1r.irtokensrrrH config_matchrjtokenrrdescrrrs r"rrs *))) A c%jj..SE!H__U1X5H5H5M5M_ Q c%jj..SE!H__U1X5H5H5M5M_ CJJ!1222 8D 122YF?>>>>>>> -e $ $ $C =fc&AAAL5  G + +G%G%G 0D%G%G%GHH H  "f , ,&>,*>CFt$4$4s$4$455 5&>,*>CEd#3#3c#3#344 4 CKK!OO 9  VqVAY,5N5NG\22 2 #f++oo1IE}} %--R"8"8"@"@"B"B Q$$ $Q}}Q  s6{{??*6!"":vs6RRR Rt$$$ {&&&6""3D!1!1!1222$G)!!."8"899!B_VT%B%B  " 16 1 1 1 1222!/!D!D! 1%.&88,4N8N'40@0@30@0@AAAAA'0E99,4N8N'$/?/?#/?/?@@@@@: $E400000 =G # #GT** * ]j ( (V-A ($$fc&-N" !E4(( ( E?6488 9 99r$rct|dkrdSt|dkr |ddvrdSt|dkr |ddvrdS|ddvrt|d krdSdS) z)Check if command is a version/help check.Fr)helpversionT)z --version--help-h)rrr)rs r"rrs 6{{Qu 6{{aF1I)<<<t 6{{aF1I)FFFt bz%%%#f++*:*:t 5r$ct|tr|}nt|dt|}t|S)z>Extract string value from a word node, stripping outer quotes.r)rrrR _strip_quotes)r_rs r"rrs@$2gs4yy11   r$rct|dkr:|ddkr |ddks|ddkr|ddkr |ddS|S)z&Strip surrounding quotes from a value.rr"r'rr)rs r"rrsZ 5zzQ !HOOb S 0 0 !HOOb S 0 02;  Lr$r+cg}||St|dd}|dkr|||SdD]7}t||d}|"|t|8|S)zGRecursively find command substitutions in an arithmetic expression AST.NrEr)rrleftrightoperandindexr~)rRrqrtr})r;resultsrEattrchilds r"r}r} sG | 4 & &D xtV::dD))   NN1%88 9 9 9 Nr$c`|gSt|dd}|dkrt|j|||S|dkrZg}|t|j||||t|j||||S|dvrZg}|t |j||||t |j||||S|dkrt |j|||S|dkrt |j|||SgS) z>Recursively analyze a conditional expression node for cmdsubs.NrEz unary-testr-z binary-test)zcond-andzcond-orzcond-notz cond-paren)rRrvrrtrrr|inner)r;r0r1r.rErBs r"r|r|s] | 4 & &D |"4<VLLLL    ,TYFSSSTTT,TZVTTTUUU ( ( ( +DIvs6RRRSSS+DJFSSSTTT   !$,FKKKK   !$*fc&IIII Ir$c g}t|dg}|D]c}t|dd}|dkrmt|j|||}|jdkr4|t |jd|j|gq|||d krt|j|||}|jdkrHt|d d } |t |jd | d |j|g|||dkrNt|dd} | r;t| tr&| t| |||e|S)zLAnalyze word parts for command/process substitutions, including nested ones.rmrENrr-rIcmdsub: rOrrrzprocsub rrr) rRr9r/rrqrrrrrtrz) r_r0r1r.rBrmrrrrrs r"rvrv:sI D'2 & &E""D&$//  *4<VTTTN$//  &-:>#8::"0!1  0000 ) # #*4<VTTTN$//#D+s;;   &-L9LL^5JLL"0!1  0000 ' ! !$t,,C z#s++   +CVLLL r$scDg}d}|t|kr|||dzdkrd}|dz}|}|t|krW|dkrQ|||dzdkr |dz }|dz }n||dkr |dz}|dz }n|dz }|t|kr|dkQ|dkrw|||dz } t| |||} | jdkr4|t | jd| j| g n|| |}n|dz }n||d kr|dz}|t|kr0||d kr$|dz }|t|kr ||d k$|t|krz||dz|} t| |||} | jdkr4|t | jd| j| g n|| |dz}n |dz }n|dz }|t|k|S) z~'<>>&4%5$$^444Q qTS[[AAc!ff**1Qc!ff**13q66zza!eaiL !(FC!O!O!O!(G33$$ *1>~'<>>&4%5$$^444EQ FAo c!ff**p r$ str | NonecJt|dddkrdSt|dg}t|dkrdSt|d}|dkrdS|d}t|d dr"|jD]}t|dd}|d vrdSt|S) zMExtract target path from a `cd ` command, or None if not applicable.rENr/r\rrcdrrm)rrr)rRrrrm)r;r\r target_wordrrs r"rnrnstVT""i//t D'2 & &E 5zzQt 58 $ $D t||t(K{GT**%  Dfd33I:::tt; ; ' ''r$rc|dr(tj}|dkr|S||ddz S|drt|S||z S)z-Resolve a cd target path to an absolute Path.~rN/)rrhomeresolve)rr1rs r"roros| !y{{ S==KfQRRj   F|| &L ! ! # ##r$rBcT|stddSd|D}d|D}d|D}|r%tdd||S|r%td d||Stdd||S) zNCombine multiple decisions - most restrictive wins, all reasons at that level.rIric2g|]}|jdk |jS)rr rLs r"r<z_combine..s&FFF18v3E3EAH3E3E3Er$c2g|]}|jdk |jS)r4r rLs r"r<z_combine..s&DDD!(e2C2C182C2C2Cr$c2g|]}|jdk |jS)rIr rLs r"r<z_combine..s&HHH!AH4G4GQX4G4G4Gr$rrrOr4)rrl)rB deny_reasons ask_reasons allow_reasonss r"r?r?s *)))GFiFFFLDDYDDDKHHyHHHMM , 7 7)LLLLKtyy55 JJJJ GTYY}55 J J JJr$N) r/rr0rr1rr.r2rr)r0rr1rr.r2rr)r0rr1rr.r2rr) r\rr0rr1rr.r2rr)rrrr2r%)rrrr)rr+) rrr0rr1rr.r2rr)rr)rrr1rrr)rBrrr))r) __future__r dataclassesrrpathlibrtypingrrrr dippy.core.allowlistsr r dippy.clir r rdippy.vendor.parablerr frozensetrrrCr9rjrurrrrr}r|rvrzrnror?r,r$r"r s#"""""((((((((44444444????????BBBBBBBBBB22222222" "Q"Q"QRR  = = = = = = =  =@E@FK[B[B[B[B[B[B~8=ccccccN8=555555rDIc:c:c:c:c:c:L"    $8=@8=))))))Z:?>>>>>>B((((( $ $ $ $KKKKKKr$