Shellfirm - Intercept any risky patterns (default or defined by you) and prompt you a small challenge for double verification

Related tags

Command-line shell rust zsh devops terminal devops-tools
Overview

shellfirm

Opppppsss you did it again? 😱 😱 😰

Protect yourself from yourself!
  • rm -rf *
  • git reset --hard before saving?
  • kubectl delete ns which going to delete all resources under this namespace?
  • And more!

Do you want to learn from people that made those mistakes??

shellfirm will intercept any risky patterns (default or defined by you) and prompt you a small challenge for double verification, kinda like a captcha for your terminal.

$ rm -rf /
#######################
# RISKY COMMAND FOUND #
#######################
* You are going to delete everything in the path.

Solve the challenge: 8 + 0 = ? (^C to cancel)

How it works?

shellfirm evaluate all shell command behind the scene. If a risky pattern is detected, you will get a prompt with a warning and double verification will requests.

Example

Installation

  • Install via brew
brew tap kaplanelad/tap && brew install shellfirm
  • Download zsh plugin:
curl https://raw.githubusercontent.com/kaplanelad/shellfirm/main/shellfirm.plugin.zsh --create-dirs -o ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/shellfirm/shellfirm.plugin.zsh
  • Finally, add the shellfirm as the plugin in your .zshrc file as:
plugins=(... shellfirm)

Risky command:

Group Path Enable By Default
base base.yaml true
git git.yaml true
fs fs.yaml true
kubernetes kubernetes.yaml false
shellfirm config update --check-group kubernetes

After installing shellfirm tool the config stored in the path: ~/.shellfirm/config.yaml

You can always manage your out risky command:

Checks examples:

challenge: Math # Math, Enter, Yes

includes: 
  - base
  - fs
  - git

checks:
  - is: git reset
    method: Contains
    enable: true
    description: "This command going to reset all your local changes."
    from: git
  - is: "rm.+(-r|-f|-rf|-fr)*"
    method: Regex
    enable: true
    description: "You are going to delete everything in the path."
    from: fs
  - is: ">.+/dev/sda"
    method: Regex
    enable: true
    description: "Writing the data directly to the hard disk drive and damaging your file system."
    from: fs
  - is: "mv+.*/dev/null"
    method: Regex
    enable: true
    description: "The files will be discarded and destroyed."
    from: fs

ℹī¸ to define custom check (that not include int the shillfirm check) add new check to config.yaml file with from: custom.

  - is: "special check"
    method: Regex
    enable: true
    description: "Example of custom check."
    from: custom

Add new group checks:

$ shellfirm config update --check-group {group} {group}

Remove new group checks:

$ shellfirm config update --check-group {group} {group} --remove

Disable specific check

Edit configuration file in ~/.shellfirm/config.yaml and change the check to enable:false.

Change challenge

currently we supporting 3 different challenges when a command is detected:

  • Math - Default challenge which requires you to solve a math question.
  • Enter - Requite only Enter to continue.
  • Yes - Requite yes to continue.

You can change the default challenge by running the command:

$ shellfirm config challenge --challenge Math

At any time you can exit with the challenge by ^C

Updates

  • Update shellfirm:
$ brew upgrade shellfirm

Contributing

See the contributing directory for more developer documentation.

Comments
  • Make `$XDG_CONFIG_HOME/shellfirm/` the default config path

    Make `$XDG_CONFIG_HOME/shellfirm/` the default config path

    Proposal

    Make $XDG_CONFIG_HOME/shellfirm/ the default path for all configuration, in accordance with XDG dir spec and to prevent clutter of $HOME dir.

    Alternatively, allow user to set the path explicitly (with an env variable, for example).

    Also, thank you for the project!

    opened by roadkell 24
  • Restrict command at all

    Restrict command at all

    Proposal

    Hi Elad, thanks for your good work. Can you add a feature to restrict commands at all? looks like it would be very good if the feature was held.
    Very Thanks!

    Use-cases

    • Admin set command which is restricted in /.shellfirm/config.yaml
    • The user cannot execute the command in /.shellfirm/config.yaml at all.

    Expected Beahviour

    • User can't run command at all if command is on the list of /.shellfirm/config.yaml

    Actual Behaviour

    • The user can still run the command if the user succeeds in winning the challenge.
    opened by gilangvperdana 9
  • Terraform

    Terraform

    List of possible risky patterns:

    • terraform apply - with flag -auto-approve
    • terraform force-unlock - with flag -force
    • terraform state mv - without dryrun flag https://www.terraform.io/cli/commands/state/mv
    • terraform state replace-provider - with -auto-approve
    • terraform state rm - without -dry-run
    • terraform workspace delete - with -force
    good first issue risky command 
    opened by kaplanelad 6
  • Zsh installation instructions without Oh My Zsh

    Zsh installation instructions without Oh My Zsh

    Proposal

    Please add installation instructions for Zsh without using Oh My Zsh

    Use-cases

    People using Zsh without Oh My Zsh

    Attempted Solutions

    Pasting shellfirm.plugin.zsh to .zshrc

    documentation 
    opened by igorkulman 6
  • Add check for crontab -r

    Add check for crontab -r

    Please add a check for:

    crontab -r

    The above command is risky because it'll remove the user's entire crontab of scheduled tasks. Since users typically would want to edit their crontab using the -e option, an accidental keypress of neighbouring -r would be disastrous. Yes, an alias to include the -i (interactive) option could be set to at least first prompt the user before its removal, but users typically only learn about this option once the damage is already done.

    risky command 
    opened by warrenski 4
  • Customize deny pattern still can be executed

    Customize deny pattern still can be executed

    Shellfirm version:

    What happened: Tried to customize the denied command, but it didn't work.

    What you expected to happen: what I think, shellfirm can customize commands that can be denied in addition to the default commands like in the shellfirm/checks directory. But it doesn't work well at my place

    How to reproduce it (as minimally and precisely as possible):

    • I declared the command I want to deny in .shellfirm/settings.yaml in the line deny_patterns_ids & includes
    • I did a shellfirm config challenge
    • I've seen my pattern customization already entered there
    • but after I tried the command, it still works in other words it is not restricted by shellfirm. Unlike the default commands that shellfirm give such as git reset etc.

    Anything else we need to know?:

    • we all know that this app has big vision and i already feel it
    • I am very happy that you build an application like this, it is very useful in my opinion
    • Thanks @kaplanelad

    OS:

    • Ubuntu 20.04LTS Server

    Evidence image

    • git reset command rejected as usual.
    • openstack command not rejected as usual.
    opened by gilangvperdana 2
  • Invalid filter .*>(.*)

    Invalid filter .*>(.*)

    What happened: the filter .*>(.*) in fs.yaml file is catch also >> which is also append to file and nut flush the file

    What you expected to happen: the regex should catch only in one >

    bug good first issue 
    opened by kaplanelad 0
Releases(v0.2.6)
Owner
elad
elad
GitHub
☄🌌ī¸ The minimal, blazing-fast, and infinitely customizable prompt for any shell

☄??ī¸ The minimal, blazing-fast, and infinitely customizable prompt for any shell

Starship Command 31.6k Dec 30, 2022
A Python package written in Rust for email verification without sending any emails.

PyRustify PyRustify is a Python package written in Rust that verifies the email addresses. Features Feature Description Syntax validation Checks if th

Mng 8 Apr 16, 2023
A super simple prompt for Fish shell, just shows git info and Vi mode.

vifi is a portmandeau of 'Vi' and 'Fish', because it's a prompt for Fish shell, primarily focused around showing proper indicators when using Vi key bindings.

Mat Jones 1 Sep 15, 2022
A very opinionated, zero-configuration shell prompt

A very opinionated, zero-configuration shell prompt

amy null 8 Nov 4, 2021
Prompt Description Language [POC]

Prompt Description Language (V0.1.1 POC) Description PDL (Prompt Description Language) format provides an extensible way to describe the behavior and

Alex 192 Jun 5, 2023
Solving context limits when working with AI LLM models by implementing a "chunkable" attribute on your prompt structs.

Promptize Promptize attempts to solve the issues with context limits when working with AI systems. It allows a user to add an attribute to their struc

Dan Nelson 5 Jul 18, 2023
Yet Another Kalman Filter Implementation. As well as Lie Theory (Lie group and algebra) on SE(3). [no_std] is supported by default.

yakf - Yet Another Kalman Filter Yet Another Kalman Filter Implementation, as well as, Lie Theory (Lie group, algebra, vector) on SO(3), SE(3), SO(2),

null 7 Dec 1, 2022
Standard Graphics is a command-line tool for printing 2D graphics from any language to any screen.

2D graphics in any programming language with just print statements!

Caleb Winston 123 Nov 20, 2022
zero runtime cost default arguments in rust

Default Arguments in Rust Enables default arguments in rust by macro in zero cost. Just wrap function with default_args! and macro with name of functi

Jaeyong Sung 73 Sep 6, 2022
Patch binary file using IDA signatures and defined replacement bytes in YAML.

fabricbin Patch binary file using IDA signatures and defined replacement bytes in YAML. Install: cargo install --git https://github.com/makindotcc/fab

makin 3 Oct 24, 2023
đŸĻž Rust library of natural language dictionaries using character-wise double-array tries.

?? Crawdad: ChaRActer-Wise Double-Array Dictionary Overview Crawdad is a library of natural language dictionaries using character-wise double-array tr

null 18 Dec 15, 2022
🐎 A fast implementation of the Aho-Corasick algorithm using the compact double-array data structure. (Python wrapper for daachorse)

python-daachorse daachorse is a fast implementation of the Aho-Corasick algorithm using the compact double-array data structure. This is a Python wrap

Koichi Akabe 11 Nov 30, 2022
Count your code by tokens, types of syntax tree nodes, and patterns in the syntax tree. A tokei/scc/cloc alternative.

tcount (pronounced "tee-count") Count your code by tokens, types of syntax tree nodes, and patterns in the syntax tree. Quick Start Simply run tcount

Adam P. Regasz-Rethy 48 Dec 7, 2022
A parser and matcher for route patterns in Rust đŸĻ€

Route Pattern A parser and matcher for a popular way to create route patterns. Patterns like these that include regular expressions, delimited in this

Dotan J. Nahum 3 Nov 24, 2022
A creator library for procedural 2D noises and patterns in Rust.

A curated list of common 2D noises and patterns in computer graphics. Mostly taken from implementations on Shadertoy. All implementations are under th

Markus Moenig 3 Nov 14, 2022
Tooling and library for generation, validation and verification of supply chain metadata documents and frameworks

Spector Spector is both tooling and a library for the generation, validation and verification of supply chain metadata documents and frameworks. Many

Kusari 13 May 4, 2023
omekasy is a command line application that converts alphanumeric characters in your input to various styles defined in Unicode.

omekasy is a command line application that converts alphanumeric characters in your input to various styles defined in Unicode. omekasy means "dress up" in Japanese.

null 105 Nov 16, 2022
Dash is a CLI tool that rapidly sets up new projects by running a series of pre-defined commands.

Dash Dash is a CLI tool that rapidly sets up new projects by running a series of pre-defined commands. Features Quick Initialization: Initialize the c

Kunal Bagaria 4 Nov 7, 2023
Game of life rendered in your terminal with over 500+ unique patterns to choose from.

Controls a: play animation n: next generation s: stop j or down arrow: go down next pattern (note: you have to stop the animation to browse the patter

Omar Magdy 20 Dec 22, 2022