Skip to content

feat: add allowedUnrestricted mode for tool calling #10646

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
chenyuanrun wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: add allowedUnrestricted mode for tool calling #10646

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions core/tools/policies/fileAccess.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,11 @@ export function evaluateFileAccessPolicy(
return "disabled";
}

// If tool is in unrestricted mode, skip workspace boundary check
if (basePolicy === "allowedUnrestricted") {
return "allowedUnrestricted";
}

// Files within workspace use the base policy (typically "allowedWithoutPermission")
if (isWithinWorkspace) {
return basePolicy;
Expand Down
11 changes: 8 additions & 3 deletions gui/src/pages/config/components/ToolPolicyItem.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -141,14 +141,19 @@ export function ToolPolicyItem(props: ToolPolicyItemProps) {
<span className="text-xs">
{disabled || policy === "disabled"
? "Excluded"
: policy === "allowedWithoutPermission"
? "Automatic"
: "Ask First"}
: policy === "allowedUnrestricted"
? "Unrestricted"
: policy === "allowedWithoutPermission"
? "Automatic"
: "Ask First"}
</span>
<ChevronDownIcon className="h-3 w-3" />
</ListboxButton>
{!disabled && (
<ListboxOptions className="min-w-0">
<ListboxOption value="allowedUnrestricted">
Unrestricted
</ListboxOption>
<ListboxOption value="allowedWithoutPermission">
Automatic
</ListboxOption>
Expand Down
7 changes: 5 additions & 2 deletions gui/src/redux/slices/uiSlice.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,14 +97,17 @@ export const uiSlice = createSlice({
const setting = state.toolSettings[action.payload];

switch (setting) {
case "allowedWithPermission":
case "allowedUnrestricted":
state.toolSettings[action.payload] = "allowedWithoutPermission";
break;
case "allowedWithoutPermission":
state.toolSettings[action.payload] = "allowedWithPermission";
break;
case "allowedWithPermission":
state.toolSettings[action.payload] = "disabled";
break;
case "disabled":
state.toolSettings[action.payload] = "allowedWithPermission";
state.toolSettings[action.payload] = "allowedUnrestricted";
break;
default:
state.toolSettings[action.payload] = DEFAULT_TOOL_SETTING;
Expand Down
17 changes: 14 additions & 3 deletions packages/terminal-security/src/evaluateTerminalCommandSecurity.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ type ParsedToken = string | ShellOperator | GlobPattern | CommentToken;
*
* @param basePolicy The base policy configured for the tool
* @param command The command string to evaluate
* @returns The security policy to apply: 'disabled', 'allowedWithPermission', or 'allowedWithoutPermission'
* @returns The security policy to apply: 'disabled', 'allowedWithPermission', 'allowedWithoutPermission', or 'allowedUnrestricted'
*/
export function evaluateTerminalCommandSecurity(
basePolicy: ToolPolicy,
Expand All @@ -38,6 +38,11 @@ export function evaluateTerminalCommandSecurity(
return "disabled";
}

// If tool is in unrestricted mode, skip all security checks
if (basePolicy === "allowedUnrestricted") {
return "allowedUnrestricted";
}

// Handle null/undefined/empty commands
if (!command || typeof command !== "string") {
return basePolicy;
Expand Down Expand Up @@ -263,7 +268,10 @@ function evaluateTokens(
}

// Check for obfuscation patterns
if (hasObfuscationPatterns(originalCommand)) {
if (
hasObfuscationPatterns(originalCommand) &&
mostRestrictivePolicy !== "allowedUnrestricted"
) {
mostRestrictivePolicy = getMostRestrictive(
mostRestrictivePolicy,
"allowedWithPermission",
Expand All @@ -283,7 +291,10 @@ function getMostRestrictive(...policies: ToolPolicy[]): ToolPolicy {
if (policies.some((p) => p === "allowedWithPermission")) {
return "allowedWithPermission";
}
return "allowedWithoutPermission";
if (policies.some((p) => p === "allowedWithoutPermission")) {
return "allowedWithoutPermission";
}
return "allowedUnrestricted";
}

/**
Expand Down
3 changes: 2 additions & 1 deletion packages/terminal-security/src/types.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,5 @@
export type ToolPolicy =
| "allowedWithPermission"
| "allowedWithoutPermission"
| "disabled";
| "disabled"
| "allowedUnrestricted";
51 changes: 49 additions & 2 deletions packages/terminal-security/test/terminalCommandSecurity.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
import { describe, it, expect } from "vitest";
import { evaluateTerminalCommandSecurity, ToolPolicy } from "../src/index.js";
import { describe, expect, it } from "vitest";
import { evaluateTerminalCommandSecurity } from "../src/index.js";

describe("evaluateTerminalCommandSecurity", () => {
describe("Critical Risk - Always Disabled", () => {
Expand Down Expand Up @@ -1864,4 +1864,51 @@ describe("evaluateTerminalCommandSecurity", () => {
});
});
});

describe("Unrestricted Mode", () => {
it("should always return allowedUnrestricted when base policy is allowedUnrestricted", () => {
const result = evaluateTerminalCommandSecurity(
"allowedUnrestricted",
"rm -rf /",
);
expect(result).toBe("allowedUnrestricted");
});

it("should return allowedUnrestricted for dangerous commands in unrestricted mode", () => {
const result = evaluateTerminalCommandSecurity(
"allowedUnrestricted",
"sudo apt-get update",
);
expect(result).toBe("allowedUnrestricted");
});

it("should return allowedUnrestricted for command substitution in unrestricted mode", () => {
const result = evaluateTerminalCommandSecurity(
"allowedUnrestricted",
"echo $(rm -rf /)",
);
expect(result).toBe("allowedUnrestricted");
});

it("should return allowedUnrestricted for obfuscated commands in unrestricted mode", () => {
const result = evaluateTerminalCommandSecurity(
"allowedUnrestricted",
"echo 'cm0gLXJmIC8=' | base64 -d | sh",
);
expect(result).toBe("allowedUnrestricted");
});

it("should return allowedUnrestricted for multi-line commands in unrestricted mode", () => {
const result = evaluateTerminalCommandSecurity(
"allowedUnrestricted",
"ls\nrm -rf /",
);
expect(result).toBe("allowedUnrestricted");
});

it("should handle empty command in unrestricted mode", () => {
const result = evaluateTerminalCommandSecurity("allowedUnrestricted", "");
expect(result).toBe("allowedUnrestricted");
});
});
});
Loading