@@ -8,8 +8,8 @@ class CodeGuard:
88 """
99 def __init__ (self ):
1010 # Blocklist of dangerous functions and imports
11- self .dangerous_functions : Set [str ] = {'eval' , 'exec' , 'compile' , 'open' , 'system' , 'popen' }
12- self .dangerous_modules : Set [str ] = {'os' , 'subprocess' , 'sys' , 'shutil' , 'socket' , 'pickle' }
11+ self .dangerous_functions : Set [str ] = {'eval' , 'exec' , 'compile' , 'open' , 'system' , 'popen' , '__import__' , 'spawn' }
12+ self .dangerous_modules : Set [str ] = {'os' , 'subprocess' , 'sys' , 'shutil' , 'socket' , 'pickle' , 'pty' }
1313
1414 def verify_safety (self , code_snippet : str , language : str = "python" ) -> Dict [str , Any ]:
1515 """
@@ -36,8 +36,12 @@ def verify_safety(self, code_snippet: str, language: str = "python") -> Dict[str
3636 for node in ast .walk (tree ):
3737 # Check for dangerous function calls (e.g., eval())
3838 if isinstance (node , ast .Call ):
39+ # Direct calls: eval()
3940 if isinstance (node .func , ast .Name ) and node .func .id in self .dangerous_functions :
4041 violations .append (f"Forbidden function call: { node .func .id } ()" )
42+ # Method calls: os.system()
43+ elif isinstance (node .func , ast .Attribute ) and node .func .attr in self .dangerous_functions :
44+ violations .append (f"Forbidden method call: .{ node .func .attr } ()" )
4145
4246 # Check for dangerous imports (e.g., import os)
4347 elif isinstance (node , ast .Import ):
@@ -69,8 +73,7 @@ def _verify_bash(self, code: str) -> Dict[str, Any]:
6973 import re
7074
7175 dangerous_patterns = [
72- (r"curl\s+.*\|\s*bash" , "Pipe to Bash detected (RCE Risk)" ),
73- (r"wget\s+.*\|\s*bash" , "Pipe to Bash detected (RCE Risk)" ),
76+ (r"(?:curl|wget)\s+.*(?:\||&&|;)\s*(?:bash|sh|python|perl|ruby|php)" , "Remote Code Execution (RCE) chain detected" ),
7477 (r"rm\s+-rf" , "Destructive command (rm -rf)" ),
7578 (r":\(\)\{\s*:\|:\&\s*\}\;" , "Fork Bomb detected" ),
7679 (r"nc\s+" , "Netcat usage detected (Data Exfiltration/Reverse Shell Risk)" ),
@@ -79,6 +82,8 @@ def _verify_bash(self, code: str) -> Dict[str, Any]:
7982 (r"/etc/passwd" , "Sensitive file access (/etc/passwd)" ),
8083 (r"/etc/shadow" , "Sensitive file access (/etc/shadow)" ),
8184 (r"id_rsa" , "SSH Private Key access detected" ),
85+ (r"printenv" , "Environment Variable Dumping detected" ),
86+ (r"grep\s+.*(?:pass|token|key|secret)" , "Credential Hunting (grep for secrets) detected" ),
8287 (r"base64\s+-d" , "Base64 Decoding (Obfuscation Risk)" ),
8388 (r"chmod\s+777" , "Insecure permissions (chmod 777)" ),
8489 (r"sudo\s+" , "Privilege Escalation attempt (sudo)" ),
0 commit comments