fix(security): close shell denylist bypass vectors

[GoCeylan]

📝 Description

Fixes 5 bypass patterns in the shell command deny list that could allow prompt injection attacks to execute arbitrary commands on the device.

Bypasses closed:

• Dot-sourcing: . evil.sh was not caught (only source keyword was blocked)
• Shell by path: | /bin/bash bypassed | bash check
• Source without .sh: source /etc/profile bypassed the .sh extension
  requirement
• Here-string: bash <<< "cmd" was not caught
• su -c: sudo alternative was not blocked

Adds 13 test cases covering each bypass vector.

🗣️ Type of Change

• 🐞 Bug fix (non-breaking change which fixes an issue)

🤖 AI Code Generation

• 👨‍💻 Mostly Human-written (Human lead, AI assisted or none)

🔗 Related Issue

Security audit finding, no existing issue.

📚 Technical Context (Skip for Docs)

• Reference URL: N/A
• Reasoning: The deny list is the primary guard against arbitrary shell execution triggered by prompt injection from external chat channels. Since the codebase is public, attackers can read the exact regex patterns and craft inputs that evade them.

🧪 Test Environment

• Hardware: MacBook (Apple Silicon)
• OS: macOS (Darwin 23.3.0)
• Model/Provider: N/A
• Channels: N/A

📸 Evidence (Optional)

13 new subtests in TestShellTool_DenylistBypasses covering each vector.
Run with: go test ./pkg/tools/ -run TestShellTool_DenylistBypasses -v

☑️ Checklist

• My code/docs follow the style of this project.
• I have performed a self-review of my own changes.
• I have updated the documentation accordingly.

[sky5454]

I think these regular expression should be compiled in a list of text instead of changing the code all the time

[blib]

Regex guards are trivially bypassable. Variable indirection (x=rm; $x -rf /), command substitution (`echo rm` -rf /), quoting tricks, IFS manipulation, hex/octal encoding, and Unicode escapes all evade string-level pattern matching. The guard operates on surface syntax, not semantics.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[GoCeylan]

Regex guards are trivially bypassable. Variable indirection (x=rm; $x -rf /), command substitution (`echo rm` -rf /), quoting tricks, IFS manipulation, hex/octal encoding, and Unicode escapes all evade string-level pattern matching. The guard operates on surface syntax, not semantics.

Regex guards are trivially bypassable. Variable indirection (x=rm; $x -rf /), command substitution (`echo rm` -rf /), quoting tricks, IFS manipulation, hex/octal encoding, and Unicode escapes all evade string-level pattern matching. The guard operates on surface syntax, not semantics.

Hey @blib you are technically correct, this solution is good as a stop gap. Your PR is the long-term fix, the tradeoff is complexity; it is 2500 lines and a new dependancy.

For now let's implement @sky5454 's suggestion of gathering to a txt file, then proceed with refining your PR.

[GoCeylan]

@sky5454 regex denylist now lives in a standalone text file.
All merge conflicts are resolved.

[sky5454]

It is recommended that you include the parsing of TXT, which is helpful for CI

[sky5454]

This encapsulates the regular expression, and the error printing is moved to the compiler egexpatterns function. Good

[GoCeylan]

@sky5454 Added TestDefaultDenyPatternsTxt in e98a491. It reads defaultDenyPatternsText (the embedded file), parses it via parsePatternLines, and compiles every pattern via compileRegexPatterns, failing fast if any regex is invalid. CI will now catch syntax errors introduced directly in default_deny_patterns.txt.

[sky5454]

REVIEWED OK

[sipeed-bot]

@GoCeylan Hi! This PR has had no activity for over 2 weeks, so I'm closing it for now to keep things organized. Feel free to reopen anytime if you'd like to continue.