Skip to content

Commit e8233cd

Browse files
committed
feat: rigorous security rules for RCE and credential dumping
1 parent e600cf2 commit e8233cd

1 file changed

Lines changed: 9 additions & 4 deletions

File tree

src/qwed_new/guards/code_guard.py

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -8,8 +8,8 @@ class CodeGuard:
88
"""
99
def __init__(self):
1010
# Blocklist of dangerous functions and imports
11-
self.dangerous_functions: Set[str] = {'eval', 'exec', 'compile', 'open', 'system', 'popen'}
12-
self.dangerous_modules: Set[str] = {'os', 'subprocess', 'sys', 'shutil', 'socket', 'pickle'}
11+
self.dangerous_functions: Set[str] = {'eval', 'exec', 'compile', 'open', 'system', 'popen', '__import__', 'spawn'}
12+
self.dangerous_modules: Set[str] = {'os', 'subprocess', 'sys', 'shutil', 'socket', 'pickle', 'pty'}
1313

1414
def verify_safety(self, code_snippet: str, language: str = "python") -> Dict[str, Any]:
1515
"""
@@ -36,8 +36,12 @@ def verify_safety(self, code_snippet: str, language: str = "python") -> Dict[str
3636
for node in ast.walk(tree):
3737
# Check for dangerous function calls (e.g., eval())
3838
if isinstance(node, ast.Call):
39+
# Direct calls: eval()
3940
if isinstance(node.func, ast.Name) and node.func.id in self.dangerous_functions:
4041
violations.append(f"Forbidden function call: {node.func.id}()")
42+
# Method calls: os.system()
43+
elif isinstance(node.func, ast.Attribute) and node.func.attr in self.dangerous_functions:
44+
violations.append(f"Forbidden method call: .{node.func.attr}()")
4145

4246
# Check for dangerous imports (e.g., import os)
4347
elif isinstance(node, ast.Import):
@@ -69,8 +73,7 @@ def _verify_bash(self, code: str) -> Dict[str, Any]:
6973
import re
7074

7175
dangerous_patterns = [
72-
(r"curl\s+.*\|\s*bash", "Pipe to Bash detected (RCE Risk)"),
73-
(r"wget\s+.*\|\s*bash", "Pipe to Bash detected (RCE Risk)"),
76+
(r"(?:curl|wget)\s+.*(?:\||&&|;)\s*(?:bash|sh|python|perl|ruby|php)", "Remote Code Execution (RCE) chain detected"),
7477
(r"rm\s+-rf", "Destructive command (rm -rf)"),
7578
(r":\(\)\{\s*:\|:\&\s*\}\;", "Fork Bomb detected"),
7679
(r"nc\s+", "Netcat usage detected (Data Exfiltration/Reverse Shell Risk)"),
@@ -79,6 +82,8 @@ def _verify_bash(self, code: str) -> Dict[str, Any]:
7982
(r"/etc/passwd", "Sensitive file access (/etc/passwd)"),
8083
(r"/etc/shadow", "Sensitive file access (/etc/shadow)"),
8184
(r"id_rsa", "SSH Private Key access detected"),
85+
(r"printenv", "Environment Variable Dumping detected"),
86+
(r"grep\s+.*(?:pass|token|key|secret)", "Credential Hunting (grep for secrets) detected"),
8287
(r"base64\s+-d", "Base64 Decoding (Obfuscation Risk)"),
8388
(r"chmod\s+777", "Insecure permissions (chmod 777)"),
8489
(r"sudo\s+", "Privilege Escalation attempt (sudo)"),

0 commit comments

Comments
 (0)