Shellfirm - Intercept any risky patterns (default or defined by you) and prompt you a small challenge for double verification

elad

Last update: Dec 29, 2022

Overview

shellfirm

Opppppsss you did it again? 😱 😱 😰

Protect yourself from yourself!

rm -rf *
git reset --hard before saving?
kubectl delete ns which going to delete all resources under this namespace?
And more!

Do you want to learn from people that made those mistakes??

shellfirm will intercept any risky patterns (default or defined by you) and prompt you a small challenge for double verification, kinda like a captcha for your terminal.

$ rm -rf /
#######################
# RISKY COMMAND FOUND #
#######################
* You are going to delete everything in the path.

Solve the challenge: 8 + 0 = ? (^C to cancel)

How it works?

shellfirm evaluate all shell command behind the scene. If a risky pattern is detected, you will get a prompt with a warning and double verification will requests.

Example

Installation

Install via brew

brew tap kaplanelad/tap && brew install shellfirm

Download zsh plugin:

curl https://raw.githubusercontent.com/kaplanelad/shellfirm/main/shellfirm.plugin.zsh --create-dirs -o ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/shellfirm/shellfirm.plugin.zsh

Finally, add the shellfirm as the plugin in your .zshrc file as:

plugins=(... shellfirm)

Risky command:

Group	Path	Enable By Default
`base`	base.yaml	`true`
`git`	git.yaml	`true`
`fs`	fs.yaml	`true`
`kubernetes`	kubernetes.yaml	`false` `shellfirm config update --check-group kubernetes`

After installing shellfirm tool the config stored in the path: ~/.shellfirm/config.yaml

You can always manage your out risky command:

Checks examples:

challenge: Math # Math, Enter, Yes

includes: 
  - base
  - fs
  - git

checks:
  - is: git reset
    method: Contains
    enable: true
    description: "This command going to reset all your local changes."
    from: git
  - is: "rm.+(-r|-f|-rf|-fr)*"
    method: Regex
    enable: true
    description: "You are going to delete everything in the path."
    from: fs
  - is: ">.+/dev/sda"
    method: Regex
    enable: true
    description: "Writing the data directly to the hard disk drive and damaging your file system."
    from: fs
  - is: "mv+.*/dev/null"
    method: Regex
    enable: true
    description: "The files will be discarded and destroyed."
    from: fs

ℹ️ to define custom check (that not include int the shillfirm check) add new check to config.yaml file with from: custom.

  - is: "special check"
    method: Regex
    enable: true
    description: "Example of custom check."
    from: custom

Add new group checks:

$ shellfirm config update --check-group {group} {group}

Remove new group checks:

$ shellfirm config update --check-group {group} {group} --remove

Disable specific check

Edit configuration file in ~/.shellfirm/config.yaml and change the check to enable:false.

Change challenge

currently we supporting 3 different challenges when a command is detected:

Math - Default challenge which requires you to solve a math question.
Enter - Requite only Enter to continue.
Yes - Requite yes to continue.

You can change the default challenge by running the command:

$ shellfirm config challenge --challenge Math

At any time you can exit with the challenge by ^C

Updates

Update shellfirm:

$ brew upgrade shellfirm

Add new check group or override configuration with new checks

Contributing

See the contributing directory for more developer documentation.

Comments

Make `$XDG_CONFIG_HOME/shellfirm/` the default config path

Proposal

Make $XDG_CONFIG_HOME/shellfirm/ the default path for all configuration, in accordance with XDG dir spec and to prevent clutter of $HOME dir.

Alternatively, allow user to set the path explicitly (with an env variable, for example).

Also, thank you for the project!

opened by roadkell 24
Restrict command at all
Proposal

Hi Elad, thanks for your good work. Can you add a feature to restrict commands at all? looks like it would be very good if the feature was held.
Very Thanks!

Use-cases

Admin set command which is restricted in /.shellfirm/config.yaml

The user cannot execute the command in /.shellfirm/config.yaml at all.

Expected Beahviour

User can't run command at all if command is on the list of /.shellfirm/config.yaml

Actual Behaviour

The user can still run the command if the user succeeds in winning the challenge.
opened by gilangvperdana 9
Terraform
List of possible risky patterns:

terraform apply - with flag -auto-approve

terraform force-unlock - with flag -force

terraform state mv - without dryrun flag https://www.terraform.io/cli/commands/state/mv

terraform state replace-provider - with -auto-approve

terraform state rm - without -dry-run

terraform workspace delete - with -force

good first issue risky command
opened by kaplanelad 6
Zsh installation instructions without Oh My Zsh

Proposal

Please add installation instructions for Zsh without using Oh My Zsh

Use-cases

People using Zsh without Oh My Zsh

Attempted Solutions

Pasting shellfirm.plugin.zsh to .zshrc
documentation

opened by igorkulman 6
Add check for crontab -r

Please add a check for:

crontab -r

The above command is risky because it'll remove the user's entire crontab of scheduled tasks. Since users typically would want to edit their crontab using the -e option, an accidental keypress of neighbouring -r would be disastrous. Yes, an alias to include the -i (interactive) option could be set to at least first prompt the user before its removal, but users typically only learn about this option once the damage is already done.
risky command

opened by warrenski 4
Customize deny pattern still can be executed
Shellfirm version:

What happened: Tried to customize the denied command, but it didn't work.

What you expected to happen: what I think, shellfirm can customize commands that can be denied in addition to the default commands like in the shellfirm/checks directory. But it doesn't work well at my place

How to reproduce it (as minimally and precisely as possible):

I declared the command I want to deny in .shellfirm/settings.yaml in the line deny_patterns_ids & includes

I did a shellfirm config challenge

I've seen my pattern customization already entered there

but after I tried the command, it still works in other words it is not restricted by shellfirm. Unlike the default commands that shellfirm give such as git reset etc.

Anything else we need to know?:

we all know that this app has big vision and i already feel it

I am very happy that you build an application like this, it is very useful in my opinion

Thanks @kaplanelad

OS:

Ubuntu 20.04LTS Server

Evidence

git reset command rejected as usual.

openstack command not rejected as usual.
opened by gilangvperdana 2
Invalid filter .*>(.*)

What happened: the filter .*>(.*) in fs.yaml file is catch also >> which is also append to file and nut flush the file

What you expected to happen: the regex should catch only in one >
bug good first issue

opened by kaplanelad 0

Releases(v0.2.6)

Owner

elad

GitHub

☄🌌️ The minimal, blazing-fast, and infinitely customizable prompt for any shell

☄??️ The minimal, blazing-fast, and infinitely customizable prompt for any shell

31.6k Dec 30, 2022

A Python package written in Rust for email verification without sending any emails.

PyRustify PyRustify is a Python package written in Rust that verifies the email addresses. Features Feature Description Syntax validation Checks if th

8 Apr 16, 2023

A super simple prompt for Fish shell, just shows git info and Vi mode.

vifi is a portmandeau of 'Vi' and 'Fish', because it's a prompt for Fish shell, primarily focused around showing proper indicators when using Vi key bindings.

1 Sep 15, 2022

A very opinionated, zero-configuration shell prompt

8 Nov 4, 2021

Prompt Description Language [POC]

Prompt Description Language (V0.1.1 POC) Description PDL (Prompt Description Language) format provides an extensible way to describe the behavior and

192 Jun 5, 2023

Solving context limits when working with AI LLM models by implementing a "chunkable" attribute on your prompt structs.

Promptize Promptize attempts to solve the issues with context limits when working with AI systems. It allows a user to add an attribute to their struc

5 Jul 18, 2023

Standard Graphics is a command-line tool for printing 2D graphics from any language to any screen.

2D graphics in any programming language with just print statements!

123 Nov 20, 2022

Yet Another Kalman Filter Implementation. As well as Lie Theory (Lie group and algebra) on SE(3). [no_std] is supported by default.

yakf - Yet Another Kalman Filter Yet Another Kalman Filter Implementation, as well as, Lie Theory (Lie group, algebra, vector) on SO(3), SE(3), SO(2),

7 Dec 1, 2022

Patch binary file using IDA signatures and defined replacement bytes in YAML.

fabricbin Patch binary file using IDA signatures and defined replacement bytes in YAML. Install: cargo install --git https://github.com/makindotcc/fab

3 Oct 24, 2023

zero runtime cost default arguments in rust

Default Arguments in Rust Enables default arguments in rust by macro in zero cost. Just wrap function with default_args! and macro with name of functi

73 Sep 6, 2022

Count your code by tokens, types of syntax tree nodes, and patterns in the syntax tree. A tokei/scc/cloc alternative.

tcount (pronounced "tee-count") Count your code by tokens, types of syntax tree nodes, and patterns in the syntax tree. Quick Start Simply run tcount

48 Dec 7, 2022

A parser and matcher for route patterns in Rust 🦀

Route Pattern A parser and matcher for a popular way to create route patterns. Patterns like these that include regular expressions, delimited in this

3 Nov 24, 2022

A creator library for procedural 2D noises and patterns in Rust.

A curated list of common 2D noises and patterns in computer graphics. Mostly taken from implementations on Shadertoy. All implementations are under th

3 Nov 14, 2022

🦞 Rust library of natural language dictionaries using character-wise double-array tries.

?? Crawdad: ChaRActer-Wise Double-Array Dictionary Overview Crawdad is a library of natural language dictionaries using character-wise double-array tr

18 Dec 15, 2022

omekasy is a command line application that converts alphanumeric characters in your input to various styles defined in Unicode.

omekasy is a command line application that converts alphanumeric characters in your input to various styles defined in Unicode. omekasy means "dress up" in Japanese.

105 Nov 16, 2022

🐎 A fast implementation of the Aho-Corasick algorithm using the compact double-array data structure. (Python wrapper for daachorse)

python-daachorse daachorse is a fast implementation of the Aho-Corasick algorithm using the compact double-array data structure. This is a Python wrap

11 Nov 30, 2022

Shellfirm - Intercept any risky patterns (default or defined by you) and prompt you a small challenge for double verification

Related tags

Overview

shellfirm

Opppppsss you did it again? 😱 😱 😰

How it works?

Example

Installation

Risky command:

Checks examples:

Add new group checks:

Remove new group checks:

Disable specific check

Change challenge

Updates

Contributing

Comments

Make `$XDG_CONFIG_HOME/shellfirm/` the default config path

Proposal

Restrict command at all

Proposal

Use-cases

Expected Beahviour

Actual Behaviour

Terraform

Zsh installation instructions without Oh My Zsh

Proposal

Use-cases

Attempted Solutions

Add check for crontab -r

Customize deny pattern still can be executed

Invalid filter .*>(.*)

Releases(v0.2.6)

v0.2.6(Nov 1, 2022)

v0.2.5(Oct 28, 2022)

v0.2.4(Aug 2, 2022)

v0.2.3(Aug 2, 2022)

v0.2.2(Jul 31, 2022)

v0.2.1(Jul 31, 2022)

v0.2.0(Jul 31, 2022)

v0.1.6(Mar 26, 2022)

v0.1.5(Mar 26, 2022)

v0.1.4(Jan 12, 2022)

v0.1.3(Jan 8, 2022)

v0.1.2(Jan 4, 2022)

v0.1.1(Jan 3, 2022)

v0.1.0(Jan 2, 2022)

Owner

elad

☄🌌️ The minimal, blazing-fast, and infinitely customizable prompt for any shell

A Python package written in Rust for email verification without sending any emails.

A super simple prompt for Fish shell, just shows git info and Vi mode.

A very opinionated, zero-configuration shell prompt

Prompt Description Language [POC]

Solving context limits when working with AI LLM models by implementing a "chunkable" attribute on your prompt structs.

Standard Graphics is a command-line tool for printing 2D graphics from any language to any screen.

Yet Another Kalman Filter Implementation. As well as Lie Theory (Lie group and algebra) on SE(3). [no_std] is supported by default.

Patch binary file using IDA signatures and defined replacement bytes in YAML.

zero runtime cost default arguments in rust

Count your code by tokens, types of syntax tree nodes, and patterns in the syntax tree. A tokei/scc/cloc alternative.

A parser and matcher for route patterns in Rust 🦀

A creator library for procedural 2D noises and patterns in Rust.

🦞 Rust library of natural language dictionaries using character-wise double-array tries.

omekasy is a command line application that converts alphanumeric characters in your input to various styles defined in Unicode.

🐎 A fast implementation of the Aho-Corasick algorithm using the compact double-array data structure. (Python wrapper for daachorse)

Dash is a CLI tool that rapidly sets up new projects by running a series of pre-defined commands.

Tooling and library for generation, validation and verification of supply chain metadata documents and frameworks

Game of life rendered in your terminal with over 500+ unique patterns to choose from.

Invalid filter .>(.)