liderra/portal
1
0
Fork 0
Code Issues Pull Requests Actions 86 Packages Projects Releases Wiki Activity
Files
dee4a0e1a290c267dfe83db084e6e6b3f0ec9404
portal/tools/enforce-powershell-gate.mjs
T
Дмитрий c662369e2e feat(router-gate): powershell gate main() (fail-CLOSE)
2026-05-29 20:29:23 +03:00

148 lines
7.0 KiB
JavaScript
Raw Blame History

#!/usr/bin/env node
/**
* PreToolUse PowerShell gate (router-gate v4 §5.1.2). Зеркало Bash-гейта:
* default-deny whitelist + hard-blacklist (keep v3.8 F1 + v4.1 G10) +
* injection + path-deny + git через shared classifyGitCommand. Fail-CLOSE.
*/
import { fileURLToPath } from 'url';
import {
defaultPathNormalize,
DEFAULT_PROTECTED_PATTERNS,
pathDenyOverlay,
matchAny,
hasInjection,
classifyGitCommand,
loadApprovedGitOps,
} from './shell-content-rules.mjs';
import { readStdin, parseEventJson, exitDecision } from './enforce-hook-helpers.mjs';
// PowerShell — лёгкий сплиттер по ; | && || (без shell-quote: иной синтаксис).
export function tokenizePowerShell(command) {
const parts = String(command || '').split(/\s*(?:\|\||&&|[;|])\s*/).filter((p) => p.trim() !== '');
return parts.map((p) => {
const trimmed = p.trim();
const m = trimmed.match(/^([A-Za-z][\w-]*|\[[^\]]+\]::\w+|\$env:[A-Za-z_]+)/);
return { raw: trimmed, cmd: (m ? m[1] : trimmed).toLowerCase() };
});
}
export const PS_HARD_BLACKLIST = [
// keep v3.8 F1
{ re: /\b(?:Remove-Item|ri|del|erase|rd)\b/i, reason: 'Remove-Item/del запрещён' },
{ re: /\b(?:Move-Item|mi|move)\b/i, reason: 'Move-Item запрещён' },
{ re: /\b(?:Copy-Item|cpi|copy)\b/i, reason: 'Copy-Item запрещён' },
{ re: /\b(?:Set-Content|sc|Add-Content|ac|Out-File)\b/i, reason: 'Set/Add-Content/Out-File запрещён' },
{ re: /(?:^|[^0-9>&])>{1,2}(?![>&])/, reason: 'redirect (>/>>) запрещён' },
{ re: /\b(?:Invoke-Expression|iex)\b/i, reason: 'Invoke-Expression/iex запрещён' },
{ re: /\b(?:Invoke-WebRequest|iwr|curl|wget)\b[^\n]*\|\s*(?:iex|Invoke-Expression)/i, reason: 'IWR | iex запрещён' },
{ re: /\bStart-Process\b/i, reason: 'Start-Process запрещён' },
{ re: /\[System\.IO\.File\]::(?:Delete|WriteAllText|WriteAllBytes|AppendAllText)\b/i, reason: '[IO.File] write/delete запрещён' },
{ re: /\[System\.IO\.Directory\]::(?:Delete|CreateDirectory)\b/i, reason: '[IO.Directory] mutate запрещён' },
{ re: /\b(?:Stop-Process|kill|spps)\b/i, reason: 'Stop-Process/kill запрещён' },
{ re: /\b(?:Stop-Service|Remove-Service|Set-Service|New-Service)\b/i, reason: 'service mutate запрещён' },
{ re: /\bSet-ExecutionPolicy\b/i, reason: 'Set-ExecutionPolicy запрещён' },
{ re: /\bSet-ItemProperty\b/i, reason: 'Set-ItemProperty запрещён' },
{ re: /\b(?:Get-Credential|Export-PSSession)\b/i, reason: 'Get-Credential/Export-PSSession запрещён' },
{ re: /\b(?:Restart-Computer|Stop-Computer)\b/i, reason: 'Restart/Stop-Computer запрещён' },
{ re: /\b(?:Register-ScheduledTask|Set-ScheduledTask)\b/i, reason: 'ScheduledTask mutate запрещён' },
{ re: /\b(?:Set-Acl|icacls)\b/i, reason: 'Set-Acl/icacls запрещён' },
{ re: /\bNew-Item\b[^\n]*-ItemType\s+(?:File|Directory)\b/i, reason: 'New-Item (mutate) запрещён' },
// v4.1 G10
{ re: /\$env:[A-Za-z_]+\s*=/i, reason: 'G10: $env:X = ... запрещён' },
{ re: /\[System\.Environment\]::SetEnvironmentVariable\b/i, reason: 'G10: SetEnvironmentVariable запрещён' },
{ re: /\bSet-Item\s+-Path\s+Env:/i, reason: 'G10: Set-Item Env: запрещён' },
{ re: /\bNew-PSDrive\b/i, reason: 'G10: New-PSDrive запрещён' },
{ re: /\bInvoke-Azure[A-Z]/, reason: 'G10: Azure cmdlet запрещён' },
{ re: /\b(?:Get|New|Set|Remove)-Az[A-Z]/, reason: 'G10: Az cmdlet запрещён' },
{ re: /\b(?:Get|New|Set|Remove)-AWS[A-Z]/, reason: 'G10: AWS cmdlet запрещён' },
{ re: /\bgcloud\s+(?:auth|compute|iam|storage)\b/, reason: 'G10: gcloud запрещён' },
];
export function matchPsHardBlacklist(command) {
const s = String(command || '');
if (hasInjection(s)) return '#34: Write-Output/echo prompt-injection запрещён';
return matchAny(PS_HARD_BLACKLIST, s);
}
// whitelist cmdlets (lowercased) + aliases
const PS_READING = new Set([
'get-childitem', 'gci', 'ls', 'dir', 'select-string', 'sls', 'get-content', 'gc', 'cat', 'type',
'get-item', 'gi', 'get-itemproperty', 'gp',
]);
const PS_SAFE = new Set([
'test-path', 'resolve-path', 'rvpa', 'get-location', 'gl', 'pwd', 'get-process', 'gps', 'ps',
'get-date', 'measure-object', 'sort-object', 'where-object', 'foreach-object', 'select-object',
]);
function psPathArgs(raw) {
// tokens после команды; убираем флаги (-X), оператор -Path сам по себе тоже флаг
const toks = raw.split(/\s+/).slice(1);
const out = [];
for (const t of toks) {
if (t.startsWith('-')) continue;
if (t.startsWith('"') || t.startsWith("'") || /[\/\\~.]/.test(t)) out.push(t.replace(/^['"]|['"]$/g, ''));
}
return out;
}
export function classifyPowerShellCommand(command, ctx = {}) {
const s = String(command || '');
if (s.trim() === '') return { result: 'block', reason: 'пустая команда' };
const hb = matchPsHardBlacklist(s);
if (hb) return { result: 'block', reason: hb };
const segs = tokenizePowerShell(s);
for (const seg of segs) {
if (seg.cmd === 'git') {
const git = classifyGitCommand(seg.raw, ctx);
if (git && git.result === 'block') return git;
if (git) continue; // allowed git segment
}
if (PS_READING.has(seg.cmd)) {
const pd = pathDenyOverlay({
candidatePaths: psPathArgs(seg.raw),
pathNormalize: ctx.pathNormalize,
protectedPaths: ctx.protectedPaths,
});
if (pd.block) return { result: 'block', reason: pd.reason };
continue;
}
if (PS_SAFE.has(seg.cmd)) continue;
return { result: 'block', reason: `cmdlet «${seg.cmd}» не в whitelist — default-deny (§5.1.2)` };
}
return { result: 'allow', reason: 'whitelisted PowerShell command(s)' };
}
async function resolvePathNormalize() {
try {
const mod = await import('./path-normalization.mjs');
if (typeof mod.pathNormalize === 'function') return mod.pathNormalize;
if (typeof mod.default === 'function') return mod.default;
} catch { /* Stream A not merged */ }
return defaultPathNormalize;
}
async function main() {
try {
const raw = await readStdin();
const event = parseEventJson(raw);
if (event.tool_name !== 'PowerShell') { exitDecision({ block: false }); return; }
const command = (event.tool_input && event.tool_input.command) || '';
const sessionId = event.session_id || 'unknown';
const ctx = {
approvedGitOps: loadApprovedGitOps(sessionId),
pathNormalize: await resolvePathNormalize(),
protectedPaths: DEFAULT_PROTECTED_PATTERNS,
now: Date.now(),
};
const verdict = classifyPowerShellCommand(command, ctx);
exitDecision(verdict.result === 'block' ? { block: true, message: `[powershell-gate] ${verdict.reason}` } : { block: false });
} catch {
exitDecision({ block: true, message: '[powershell-gate] внутренняя ошибка — fail-CLOSE' });
}
}
const isCli = process.argv[1] && fileURLToPath(import.meta.url) === process.argv[1];
if (isCli) main();
Reference in New Issue View Git Blame Copy Permalink