Skip to content

[AI][Fix #27] 用带校验的 delete action 取代裸 rm -rf,杜绝路径穿越#32

Open
josephmqiu wants to merge 1 commit into
perkfly:mainfrom
josephmqiu:fix/27-safe-delete
Open

[AI][Fix #27] 用带校验的 delete action 取代裸 rm -rf,杜绝路径穿越#32
josephmqiu wants to merge 1 commit into
perkfly:mainfrom
josephmqiu:fix/27-safe-delete

Conversation

@josephmqiu

Copy link
Copy Markdown

Important

🤖 AI 声明:本 PR 由 AI 模型 Claude Fable 5(Anthropic,运行于 Claude Code)编写并在本地测试,经 @josephmqiu 授权提交。

Fixes #27

问题

/delete-ex {slug} 让 agent 直接执行 rm -rf exes/{slug},slug 来自用户输入且未经任何校验:

  • /delete-ex ../.. 会拼接出 rm -rf exes/../..,删除项目上层目录(全局安装时即用户的 skills 目录内部)
  • 让语言模型裸拼 rm -rf,任何模板理解偏差都会变成不可逆删除

改动

  • skill_writer.py 新增 --action delete,内置三重防御:
    1. slug 白名单校验[a-z0-9][a-z0-9_-]{0,63},直接拦截 ../.. 之类的输入
    2. 路径归属确认:resolve 后必须位于 base-dir 之内(即使校验被绕过也不会删到外面)
    3. 目标身份确认:缺少 meta.json 的目录拒绝删除(避免误删非 Skill 目录)
  • SKILL.md(中英双语)改为:先展示将被删除的完整路径和 meta.json 中的 name,用户明确确认后调用该工具;明确禁止直接拼接 rm -rf

本地测试

== 1. 路径穿越 -> 拦截 ==
$ python3 tools/skill_writer.py --action delete --slug "../outside_dir" --base-dir <test>/exes
错误:非法 slug:'../outside_dir'(只允许小写字母/数字/下划线/连字符,且以字母或数字开头)
exit: 1

== 2. 非 Skill 目录 -> 拒绝 ==
$ python3 tools/skill_writer.py --action delete --slug notaskill --base-dir <test>/exes
错误:.../exes/notaskill 不是一个前任 Skill 目录(缺少 meta.json),拒绝删除
exit: 1

== 3. 正常删除 ==
$ python3 tools/skill_writer.py --action delete --slug delme --base-dir <test>/exes
✅ 已删除 .../exes/delme
exit: 0

测试后确认 base-dir 之外的目录完好无损。

🤖 Generated with Claude Code

https://claude.ai/code/session_01Qxv8G25EYkYzQyY6FdJ6qH

The /delete-ex flow had the agent execute rm -rf with a verbatim
user-supplied slug — '/delete-ex ../..' would escape the exes directory
(with a global install, that's inside the user's skills directory), and
any templating mistake by the model becomes an irreversible deletion.

Adds 'skill_writer.py --action delete' with three layers of defense:
- slug whitelist validation ([a-z0-9][a-z0-9_-]{0,63})
- resolved-path containment check against base-dir
- refusal to delete directories lacking meta.json

SKILL.md (zh + en) now instructs showing the resolved path and name for
explicit confirmation, then calling the tool — never raw rm -rf.

Fixes perkfly#27

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Qxv8G25EYkYzQyY6FdJ6qH
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[AI审查][Security] /delete-ex 直接执行 rm -rf exes/{slug},slug 未经校验,存在路径穿越删除任意目录的风险

1 participant