Skip to content

feat: Allow readonly find -exec commands without permission prompt #2829

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

feat: Allow readonly find -exec commands without permission prompt #2829

wants to merge 6 commits into from
+85 −6

Conversation

h16rkim
Copy link
Contributor

@h16rkim h16rkim commented Sep 10, 2025
edited
Loading

Summary

When using the Amazon Q Developer CLI, the LLM Agent often execute readonly file exploration commands such as:

find . -name '*.rs' -exec grep -l "ExecuteCommand" {} \;

Even with the agent config toolSettings.execute_bash.allowReadonly = true, the CLI still asks user for permission when executing this type of command. (related documents)

Root Cause

  1. Any command using find + -exec is currently treated as permission-required commands.
  2. Commands containing the character ; are treated as dangerous and require permission for security reasons.

Changes

  1. Readonly find -exec handling
  • Modified logic so that when using find + -exec, if the command following exec is readonly, no permission prompt is required.
  • This also works correctly when multiple -exec clauses are present.
  1. Semicolon (;) handling
  • Updated logic so that ; is only considered dangerous when it appears in the middle of a command.
  • If ; only appears at the end, it is no longer treated as a dangerous command.

Related Issue

#1917

Review Notes

  • Please review whether this change introduces any potential security concerns.
  • The intent is to reduce unnecessary permission prompts while preserving security guarantees.

@yakpoong
feat: Update find command handling to validate readonly -exec act…
a8ed2ab 
…ions

- Refined behavior to allow readonly `-exec` or `-execdir` commands by checking against `READONLY_COMMANDS`.
- Introduced additional test cases to confirm expected handling of readonly vs. mutable operations.
- Adjusted existing test formatting for consistency.
@yakpoong
feat: Enhance argument safety checks with mid-pattern validation
63d056c 
- Introduced `DANGEROUS_MID_PATTERNS` to identify unsafe patterns when they appear mid-argument.
- Added logic to detect and handle these cases, ensuring stricter command validation.
@yakpoong
refactor: Simplify dangerous pattern detection logic in argument checks
dc228cd
@yakpoong
feat: Refine find command handling for multiple -exec validation
5d5b648 
- Updated logic to handle multiple `-exec` arguments, requiring confirmation if any are non-readonly.
- Adjusted return behavior to reflect accurate validation outcomes.
- Added test cases for mixed and readonly `-exec` scenarios.
@h16rkim h16rkim changed the title feat: Allow readonly find -exec readonly commands without permission prompt feat: Allow readonly find -exec commands without permission prompt Sep 10, 2025
@yakpoong
refactor: Consolidate dangerous pattern checks with `contains_in_midd…
78f98b4 
…le` helper

- Unified logic for detecting dangerous patterns into a single function, reducing code complexity.
- Simplified safety checks by removing redundant mid-pattern logic.
- Added comprehensive test cases to validate `contains_in_middle` functionality.
@h16rkim h16rkim force-pushed the fix/execute-bash-readonly branch from a77ac45 to 78f98b4 Compare September 11, 2025 00:06
h16rkim
h16rkim commented Sep 11, 2025
View reviewed changes
crates/chat-cli/src/cli/chat/tools/execute/mod.rs
.iter()
.any(|arg| DANGEROUS_PATTERNS.iter().any(|p| arg.contains(p)))
.any(|p| contains_but_not_ends_with(&self.command, p))
Copy link
Contributor Author

@h16rkim h16rkim Sep 11, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If DANGEROUS_PATTERNS only appears at the end, it is no longer treated as a dangerous command.
Because these commands cannot appear at the end, or if they do, they are not dangerous commands (e.g., ;).

@yakpoong
refactor: Rename and update contains_in_middle to `contains_but_not…
6dc7a05 
…_ends_with`

- Improved function to better reflect its purpose of excluding patterns at the end of a string.
- Adjusted logic to simplify checks and enhance clarity.
- Updated test cases to align with renamed function and new scenarios.
@h16rkim h16rkim force-pushed the fix/execute-bash-readonly branch from e04bb36 to 6dc7a05 Compare September 11, 2025 00:40
h16rkim
h16rkim commented Sep 11, 2025
View reviewed changes
crates/chat-cli/src/cli/chat/tools/execute/mod.rs
}) =>
{
return true;
},
// Check -exec commands separately to allow readonly commands
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • when using find + -exec, if the command following exec is readonly, no permission prompt is required.
  • this also works correctly when multiple -exec clauses are present.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@h16rkim @yakpoong