Files
goclaw/internal/tools/shell.go
T
viettranx 1ac08155b0 feat(trace): reliable stop/abort with ctx-aware streams and 2-phase router
Makes the Stop button on the traces page actually stop running traces.
Seven-phase implementation across provider HTTP, agent router, trace
persistence, WS events, tool exec, i18n, and integration tests.

- Provider HTTP+SSE ctx-aware: close socket on cancel via CtxBody wrapper
- Router 2-phase abort: CAS state machine, 3s grace, force-mark fallback
- Trace retry: 3 inline retries + 10-max retry queue, stale recovery 10min
- trace.status WS event: real-time UI updates (invalidates query on receive)
- Tool exec: process-group kill (SIGTERM→3s→SIGKILL), Rod page ctx watch
- i18n: 6 abort toast variants in en/vi/zh
- Integration: 9 scenarios, -race clean

Fixes tenant-ctx loss in forceMarkTraceAborted and retry worker broadcast
(caught by code-reviewer: C1/C2). Stale threshold intentionally 10min
because start_time-based; last_span_at migration is a follow-up.
2026-04-14 18:28:31 +07:00

472 lines
16 KiB
Go

package tools
import (
"bytes"
"context"
"errors"
"fmt"
"log/slog"
"os/exec"
"regexp"
"strings"
"time"
"github.com/nextlevelbuilder/goclaw/internal/sandbox"
"github.com/nextlevelbuilder/goclaw/internal/store"
"golang.org/x/text/unicode/norm"
)
// Dangerous command patterns organized into configurable deny groups.
// Defense-in-depth: patterns complement Docker hardening (cap-drop ALL,
// no-new-privileges, pids-limit, memory limit).
// Sources: OWASP Agentic AI Top 10, Claude Code CVE-2025-66032, MITRE ATT&CK,
// PayloadsAllTheThings, Trail of Bits prompt-injection-to-RCE research.
// Groups and patterns defined in shell_deny_groups.go.
// DefaultDenyPatterns returns all patterns from groups where Default=true.
// Backward-compatible wrapper for code that doesn't use per-agent overrides.
func DefaultDenyPatterns() []*regexp.Regexp {
return ResolveDenyPatterns(nil)
}
// ExecTool executes shell commands, optionally inside a sandbox container.
type ExecTool struct {
workspace string
timeout time.Duration
pathDenyPatterns []*regexp.Regexp // always-on path-based denials (DenyPaths)
pathDenyRoots []string // raw deny roots for nested workspace exemptions
denyExemptions []string // substrings that exempt a command from deny
restrict bool
sandboxMgr sandbox.Manager // nil = no sandbox, execute on host
approvalMgr *ExecApprovalManager // nil = no approval needed
agentID string // for approval request context
secureCLIStore store.SecureCLIStore // nil = no credentialed exec
}
// NewExecTool creates an exec tool that runs commands directly on the host.
func NewExecTool(workspace string, restrict bool) *ExecTool {
return &ExecTool{
workspace: workspace,
timeout: 60 * time.Second,
restrict: restrict,
}
}
// NewSandboxedExecTool creates an exec tool that routes commands through a sandbox container.
func NewSandboxedExecTool(workspace string, restrict bool, mgr sandbox.Manager) *ExecTool {
return &ExecTool{
workspace: workspace,
timeout: 300 * time.Second, // sandbox allows longer timeout
restrict: restrict,
sandboxMgr: mgr,
}
}
// SetSandboxKey is a no-op; sandbox key is now read from ctx (thread-safe).
func (t *ExecTool) SetSandboxKey(key string) {}
// DenyPaths adds always-on deny patterns that block commands referencing the given paths.
// These are NOT configurable via deny groups — they always apply regardless of group config.
func (t *ExecTool) DenyPaths(paths ...string) {
for _, p := range paths {
escaped := regexp.QuoteMeta(p)
t.pathDenyPatterns = append(t.pathDenyPatterns, regexp.MustCompile(escaped))
t.pathDenyRoots = append(t.pathDenyRoots, p)
}
}
// AllowPathExemptions adds path prefixes that exempt a command from deny pattern matches.
// Each shell argument is checked individually — commands like "cat .goclaw/skills-store/tool.py"
// are exempt because the argument ".goclaw/skills-store/tool.py" starts with the prefix.
func (t *ExecTool) AllowPathExemptions(prefixes ...string) {
t.denyExemptions = append(t.denyExemptions, prefixes...)
}
// normalizeCommand applies NFKC Unicode normalization and strips zero-width
// characters before deny pattern matching, preventing Unicode-based bypasses.
func normalizeCommand(s string) string {
// NFKC normalization: folds compatibility characters (e.g. fullwidth letters)
s = norm.NFKC.String(s)
// Strip zero-width characters that are invisible but can fragment tokens
s = strings.NewReplacer(
"\u200b", "", // zero-width space
"\u200c", "", // zero-width non-joiner
"\u200d", "", // zero-width joiner
"\u2060", "", // word joiner
"\ufeff", "", // BOM / zero-width no-break space
).Replace(s)
return s
}
// SetApprovalManager sets the exec approval manager for this tool.
func (t *ExecTool) SetApprovalManager(mgr *ExecApprovalManager, agentID string) {
t.approvalMgr = mgr
t.agentID = agentID
}
// SetSecureCLIStore sets the credential store for credentialed exec.
func (t *ExecTool) SetSecureCLIStore(s store.SecureCLIStore) {
t.secureCLIStore = s
}
func (t *ExecTool) Name() string { return "exec" }
func (t *ExecTool) Description() string { return "Execute a shell command and return its output" }
func (t *ExecTool) Parameters() map[string]any {
return map[string]any{
"type": "object",
"properties": map[string]any{
"command": map[string]any{
"type": "string",
"description": "The shell command to execute",
},
"working_dir": map[string]any{
"type": "string",
"description": "Working directory for the command (default: workspace root)",
},
},
"required": []string{"command"},
}
}
func (t *ExecTool) Execute(ctx context.Context, args map[string]any) *Result {
command, _ := args["command"].(string)
if command == "" {
return ErrorResult("command is required")
}
// Reject NUL bytes — they cause silent shell truncation enabling injection.
if strings.ContainsRune(command, '\x00') {
return ErrorResult("command contains invalid NUL byte")
}
// Normalize command before all deny checks: NFKC + zero-width strip prevents
// Unicode-based pattern bypass while preserving functional command content.
normalizedCommand := normalizeCommand(command)
// Resolve deny patterns: per-agent overrides from context, fallback to all defaults.
denyOverrides := store.ShellDenyGroupsFromContext(ctx)
groupPatterns := ResolveDenyPatterns(denyOverrides)
// Also resolve package_install patterns separately for approval routing.
var pkgInstallPatterns []*regexp.Regexp
if pkgGroup, ok := DenyGroupRegistry["package_install"]; ok && IsGroupDenied(denyOverrides, "package_install") {
pkgInstallPatterns = pkgGroup.Patterns
}
// Combine group-based patterns + always-on path denials.
allPatterns := make([]*regexp.Regexp, 0, len(groupPatterns)+len(t.pathDenyPatterns))
allPatterns = append(allPatterns, groupPatterns...)
allPatterns = append(allPatterns, t.pathDenyPatterns...)
exemptions := append([]string{}, t.denyExemptions...)
exemptions = append(exemptions, t.dynamicPathExemptions(ctx)...)
// Check for dangerous commands (applies to both host and sandbox).
wordFields := parseExecCommandWords(normalizedCommand)
pathBaseDir := ToolWorkspaceFromCtx(ctx)
if pathBaseDir == "" {
pathBaseDir = t.workspace
}
for _, pattern := range allPatterns {
if pattern.MatchString(normalizedCommand) {
// Check if exemption applies. Only exempt if EVERY field that
// individually matches the deny pattern is covered by an exemption.
// This prevents pipe/comment bypass: "cat /app/data/skills-store/x | cat /app/data/secret"
// — the second field matches deny but has no exemption → denied.
// Strips surrounding quotes (LLMs often quote paths) and rejects
// path traversal ("..") to prevent exemption escape.
exempt := false
trimmed := strings.TrimSpace(normalizedCommand)
fields := wordFields
if len(fields) == 0 {
fields = strings.Fields(trimmed)
}
matchingFields := 0
exemptFields := 0
for _, field := range fields {
clean := strings.TrimSpace(field)
if !pattern.MatchString(clean) {
continue // field doesn't trigger this deny pattern
}
matchingFields++
if matchesAnyPathExemption(clean, exemptions, pathBaseDir) {
exemptFields++
}
}
// Exempt only if at least one field matched AND all matched fields are exempt.
if matchingFields > 0 && exemptFields == matchingFields {
exempt = true
}
if exempt {
continue
}
// Package install commands: route through approval flow instead of hard deny.
// This lets agents "request permission" from admin to install packages.
if t.approvalMgr != nil && matchesAny(normalizedCommand, pkgInstallPatterns) {
slog.Info("exec: package install requires approval", "command", truncateCmd(command, 100), "agent", t.agentID)
decision, err := t.approvalMgr.RequestApproval(command, t.agentID, 2*time.Minute)
if err != nil {
return ErrorResult(fmt.Sprintf("package install approval: %v", err))
}
if decision == ApprovalDeny {
return ErrorResult("package installation denied by admin")
}
// Approved — skip deny, continue to execution.
continue
}
return ErrorResult(fmt.Sprintf("command denied by safety policy: matches pattern %s", pattern.String()))
}
}
// Memory path hint: shell commands can't access DB-backed memory files.
if hint := MaybeMemoryExecHint(normalizedCommand); hint != "" {
return SilentResult(hint)
}
// Credentialed exec: if command matches a configured binary, use Direct Exec Mode.
// This bypasses approval (admin trust) and shell (security).
if cred, binary, cmdArgs := t.lookupCredentialedBinary(ctx, command); cred != nil {
cwd := ToolWorkspaceFromCtx(ctx)
if cwd == "" {
cwd = t.workspace
}
if wd, _ := args["working_dir"].(string); wd != "" {
if effectiveRestrict(ctx, t.restrict) {
if resolved, err := resolvePath(wd, t.workspace, true); err == nil {
cwd = resolved
}
} else {
cwd = wd
}
}
sandboxKey := ToolSandboxKeyFromCtx(ctx)
return t.executeCredentialed(ctx, cred, binary, cmdArgs, cwd, sandboxKey, command)
}
// Exec approval check (matching TS exec-approval.ts pipeline)
if t.approvalMgr != nil {
switch t.approvalMgr.CheckCommand(command) {
case "deny":
return ErrorResult("command denied by exec approval policy")
case "ask":
decision, err := t.approvalMgr.RequestApproval(command, t.agentID, 2*time.Minute)
if err != nil {
return ErrorResult(fmt.Sprintf("exec approval: %v", err))
}
if decision == ApprovalDeny {
return ErrorResult("command denied by user")
}
}
}
// Use per-user workspace from context if available, fallback to struct field.
// The context workspace is tenant-scoped; t.workspace is the global (master) workspace.
cwd := ToolWorkspaceFromCtx(ctx)
if cwd == "" {
cwd = t.workspace
}
if wd, _ := args["working_dir"].(string); wd != "" {
if effectiveRestrict(ctx, t.restrict) {
// Validate working_dir against the tenant-scoped workspace (not the
// global workspace) so non-master tenants can't escape their scope.
// Also allow team workspace as a valid target (same as filesystem tools).
wsBase := ToolWorkspaceFromCtx(ctx)
if wsBase == "" {
wsBase = t.workspace
}
allowed := allowedWithTeamWorkspace(ctx, nil)
resolved, err := resolvePathWithAllowed(wd, wsBase, true, allowed)
if err != nil {
return ErrorResult(err.Error())
}
cwd = resolved
} else {
cwd = wd
}
}
// Sandbox routing (sandboxKey from ctx — thread-safe)
sandboxKey := ToolSandboxKeyFromCtx(ctx)
if t.sandboxMgr != nil && sandboxKey != "" {
return t.executeInSandbox(ctx, command, cwd, sandboxKey)
}
// Host execution
return t.executeOnHost(ctx, command, cwd)
}
// matchesAny checks if a command matches any pattern in the list.
func matchesAny(command string, patterns []*regexp.Regexp) bool {
for _, p := range patterns {
if p.MatchString(command) {
return true
}
}
return false
}
// executeOnHost runs a command directly on the host (original behavior).
// ctx cancellation (e.g. agent abort) triggers SIGTERM → 3s grace → SIGKILL on the
// entire process group so forked children are also cleaned up (no orphans).
func (t *ExecTool) executeOnHost(ctx context.Context, command, cwd string) *Result {
ctx, cancel := context.WithTimeout(ctx, t.timeout)
defer cancel()
// Use plain exec.Command (not CommandContext) so we control the kill sequence.
// CommandContext would SIGKILL only the direct child, leaving forked grandchildren alive.
cmd := exec.Command("sh", "-c", command)
cmd.Dir = cwd
// Place the child in its own process group so killProcessGroup(-pgid, sig)
// reaches the shell and all of its forked children.
setProcessGroup(cmd)
// Limit output to 1MB to prevent OOM from runaway commands.
stdout := &limitedBuffer{max: 1 << 20}
stderr := &limitedBuffer{max: 1 << 20}
cmd.Stdout = stdout
cmd.Stderr = stderr
if err := cmd.Start(); err != nil {
return ErrorResult(fmt.Sprintf("failed to start command: %v", err))
}
done := make(chan error, 1)
go func() { done <- cmd.Wait() }()
select {
case err := <-done:
// Normal completion (success or non-zero exit).
return buildHostResult(err, stdout, stderr, ctx, t.timeout)
case <-ctx.Done():
// Context cancelled or timed out — kill the process group gracefully then forcefully.
_ = killProcessGroup(cmd, syscallSIGTERM)
select {
case <-done:
// Exited cleanly after SIGTERM.
case <-time.After(3 * time.Second):
// Still alive after grace period — force kill.
_ = killProcessGroup(cmd, syscallSIGKILL)
<-done
}
if errors.Is(ctx.Err(), context.DeadlineExceeded) {
return ErrorResult(fmt.Sprintf("command timed out after %s", t.timeout))
}
return ErrorResult("command aborted")
}
}
// buildHostResult formats the result of a completed host command execution.
func buildHostResult(err error, stdout, stderr *limitedBuffer, ctx context.Context, timeout time.Duration) *Result {
var result string
if stdout.Len() > 0 {
result = stdout.String()
}
if stderr.Len() > 0 {
if result != "" {
result += "\n"
}
result += "STDERR:\n" + stderr.String()
}
if err != nil {
if errors.Is(ctx.Err(), context.DeadlineExceeded) {
return ErrorResult(fmt.Sprintf("command timed out after %s", timeout))
}
if result == "" {
result = err.Error()
}
return ErrorResult(result)
}
if result == "" {
result = "(command completed with no output)"
}
return SilentResult(capExecOutput(result, execMaxOutputChars))
}
// executeInSandbox routes a command through a Docker sandbox container.
func (t *ExecTool) executeInSandbox(ctx context.Context, command, cwd, sandboxKey string) *Result {
sb, err := t.sandboxMgr.Get(ctx, sandboxKey, t.workspace, SandboxConfigFromCtx(ctx))
if err != nil {
if errors.Is(err, sandbox.ErrSandboxDisabled) {
return t.executeOnHost(ctx, command, cwd)
}
// Docker unavailable (binary missing, daemon down) → fail closed.
// Do NOT silently fallback to host — that defeats the purpose of sandboxing.
slog.Warn("security.sandbox_unavailable",
"error", err,
"command", truncateCmd(command, 80),
)
return ErrorResult(fmt.Sprintf("sandbox unavailable: %v (will not fall back to unsandboxed host execution)", err))
}
// Map host workdir to container workdir via SandboxCwd helper.
containerCwd, cwdErr := SandboxCwd(ctx, t.workspace, sandbox.DefaultContainerWorkdir)
if cwdErr != nil {
return ErrorResult(fmt.Sprintf("sandbox path mapping: %v", cwdErr))
}
result, err := sb.Exec(ctx, []string{"sh", "-c", command}, containerCwd) //nolint: no ExecOption for normal exec
if err != nil {
return ErrorResult(fmt.Sprintf("sandbox exec: %v", err))
}
// Format output same as host execution
output := result.Stdout
if result.Stderr != "" {
if output != "" {
output += "\n"
}
output += "STDERR:\n" + result.Stderr
}
if result.ExitCode != 0 {
if output == "" {
output = fmt.Sprintf("command exited with code %d", result.ExitCode)
}
output += MaybeSandboxHint(result.ExitCode, output)
return ErrorResult(output)
}
if output == "" {
output = "(command completed with no output)"
}
return SilentResult(capExecOutput(output, execMaxOutputChars))
}
// limitedBuffer caps output to prevent OOM from runaway commands.
type limitedBuffer struct {
buf bytes.Buffer
max int
truncated bool
}
func (lb *limitedBuffer) Write(p []byte) (int, error) {
if lb.truncated {
return len(p), nil
}
remaining := lb.max - lb.buf.Len()
if remaining <= 0 {
lb.truncated = true
return len(p), nil
}
if len(p) > remaining {
lb.buf.Write(p[:remaining])
lb.truncated = true
return len(p), nil
}
return lb.buf.Write(p)
}
func (lb *limitedBuffer) String() string {
s := lb.buf.String()
if lb.truncated {
s += "\n[output truncated at 1MB]"
}
return s
}
func (lb *limitedBuffer) Len() int { return lb.buf.Len() }