fix(security): guard against rm -rf in hooks and source code

StackMemory Bot (CLI) · StackMemory Bot (CLI) · commit 779b34b01889 · 2026-02-20T12:32:40.000-05:00
- Add rm -rf/rm -r/rm -fr/rm -Rf to deny list in .claude/settings.json
  and settings.local.json (hard block, no prompt bypass)
- Replace execSync('rm -rf ...') with fs.rmSync() in ralph.ts and setup.ts
- Add validateShellCommand() to input-sanitizer.ts with DANGEROUS_SHELL_PATTERNS
  regex blocking recursive rm, mkfs, dd, and fork bombs
- Export validateShellCommand from security/index.ts
- Add 4 tests covering blocked and allowed patterns
diff --git a/.claude/settings.json b/.claude/settings.json
@@ -78,7 +78,11 @@
   },
   "permissions": {
     "deny": [
-      "Read(./.entire/metadata/**)"
+      "Read(./.entire/metadata/**)",
+      "Bash(rm -rf:*)",
+      "Bash(rm -r :*)",
+      "Bash(rm -fr:*)",
+      "Bash(rm -Rf:*)"
     ]
   }
 }
diff --git a/src/cli/commands/ralph.ts b/src/cli/commands/ralph.ts
@@ -265,8 +265,8 @@ export function createRalphCommand(): Command {
         try {
           // Clean up Ralph directory
           if (!options.keepHistory && existsSync('.ralph/history')) {
-            const { execSync } = await import('child_process');
-            execSync('rm -rf .ralph/history');
+            const fs = await import('fs');
+            fs.rmSync('.ralph/history', { recursive: true, force: true });
           }
 
           // Remove working files but keep task definition
diff --git a/src/cli/commands/setup.ts b/src/cli/commands/setup.ts
@@ -6,7 +6,7 @@
 
 import { Command } from 'commander';
 import chalk from 'chalk';
-import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'fs';
+import { existsSync, readFileSync, writeFileSync, mkdirSync, rmSync } from 'fs';
 import { join } from 'path';
 import { homedir } from 'os';
 import { execSync } from 'child_process';
@@ -471,7 +471,7 @@ export function createSetupPluginsCommand(): Command {
           if (options.force) {
             // Remove existing
             try {
-              execSync(`rm -rf "${targetPath}"`, { encoding: 'utf-8' });
+              rmSync(targetPath, { recursive: true, force: true });
             } catch {
               console.log(
                 chalk.red(`  [ERROR] ${plugin} - could not remove existing`)
diff --git a/src/core/security/__tests__/input-sanitizer.test.ts b/src/core/security/__tests__/input-sanitizer.test.ts
@@ -14,6 +14,7 @@ import {
   sanitizeForLogging,
   InputSchemas,
   validateInput,
+  validateShellCommand,
 } from '../input-sanitizer.js';
 import { ValidationError } from '../../errors/index.js';
 
@@ -82,6 +83,34 @@ describe('validateShellArg', () => {
   });
 });
 
+describe('validateShellCommand', () => {
+  it('should block rm -rf patterns', () => {
+    expect(() => validateShellCommand('rm -rf /')).toThrow(ValidationError);
+    expect(() => validateShellCommand('rm -rf /tmp/foo')).toThrow(
+      ValidationError
+    );
+    expect(() => validateShellCommand('rm -fr /tmp/bar')).toThrow(
+      ValidationError
+    );
+    expect(() => validateShellCommand('rm -Rf node_modules')).toThrow(
+      ValidationError
+    );
+    expect(() => validateShellCommand('rm -r /some/dir')).toThrow(
+      ValidationError
+    );
+  });
+
+  it('should allow safe rm (single file)', () => {
+    expect(validateShellCommand('rm file.txt')).toBe('rm file.txt');
+    expect(validateShellCommand('rm -f file.txt')).toBe('rm -f file.txt');
+  });
+
+  it('should allow non-rm commands', () => {
+    expect(validateShellCommand('ls -la')).toBe('ls -la');
+    expect(validateShellCommand('npm run build')).toBe('npm run build');
+  });
+});
+
 describe('sanitizeForLogging', () => {
   it('should redact sensitive fields in objects', () => {
     const obj = { username: 'user', password: 'secret', apiKey: 'key123' };
diff --git a/src/core/security/index.ts b/src/core/security/index.ts
@@ -25,6 +25,7 @@ export {
 
   // Shell command safety
   validateShellArg,
+  validateShellCommand,
 
   // JSON safety
   safeJsonParse,
diff --git a/src/core/security/input-sanitizer.ts b/src/core/security/input-sanitizer.ts
@@ -414,6 +414,34 @@ export function createAggregateSchema(allowedFields: string[]) {
   });
 }
 
+/**
+ * Dangerous shell command patterns that should never be executed programmatically
+ */
+const DANGEROUS_SHELL_PATTERNS = [
+  /\brm\s+(-[a-zA-Z]*r[a-zA-Z]*f|--recursive)\b/i, // rm -rf, rm -fr, rm --recursive
+  /\brm\s+-[a-zA-Z]*r\b/i, // rm -r (any flag combo with r)
+  /\bmkfs\b/i,
+  /\bdd\s+if=/i,
+  /\b:\(\)\s*\{/i, // fork bomb
+];
+
+/**
+ * Validate a shell command string for dangerous patterns
+ * Use before execSync/exec to prevent destructive commands
+ */
+export function validateShellCommand(command: string): string {
+  for (const pattern of DANGEROUS_SHELL_PATTERNS) {
+    if (pattern.test(command)) {
+      throw new ValidationError(
+        `Blocked dangerous shell command: ${command.substring(0, 80)}`,
+        ErrorCode.VALIDATION_FAILED,
+        { reason: 'dangerous_command' }
+      );
+    }
+  }
+  return command;
+}
+
 /**
  * Validate command line arguments for shell safety
  * Prevents command injection

Original file line number	Diff line number	Diff line change
`@@ -78,7 +78,11 @@`
`78`	`78`	`},`
`79`	`79`	`"permissions": {`
`80`	`80`	`"deny": [`
`81`		`- "Read(./.entire/metadata/**)"`
	`81`	`+ "Read(./.entire/metadata/**)",`
	`82`	`+ "Bash(rm -rf:*)",`
	`83`	`+ "Bash(rm -r :*)",`
	`84`	`+ "Bash(rm -fr:*)",`
	`85`	`+ "Bash(rm -Rf:*)"`
`82`	`86`	`]`
`83`	`87`	`}`
`84`	`88`	`}`