Add tool security rules that can't be overridden by settings#48209
Merged
Add tool security rules that can't be overridden by settings#48209
Conversation
Contributor
a979d5b to
d28a2d2
Compare
d28a2d2 to
c6521a5
Compare
This change introduces hardcoded security rules for the terminal tool that cannot be bypassed by any setting, including `always_allow_tool_actions`. Currently blocked commands: - `rm -rf /` - Recursive deletion of root filesystem - `rm -rf ~` - Recursive deletion of home directory These rules are checked BEFORE the `always_allow_tool_actions` global flag, ensuring they can never be bypassed. The rules also check parsed sub-commands, so `ls && rm -rf /` is also blocked. Key changes: - `HARDCODED_SECURITY_RULES` static contains non-overridable patterns - `check_hardcoded_security_rules()` runs before any user settings - Tests updated to use non-blocked commands where appropriate - New tests verify hardcoded rules cannot be bypassed
c6521a5 to
f62f78a
Compare
9422c01 to
c3ae971
Compare
rtfeldman
added a commit
that referenced
this pull request
Feb 3, 2026
Follow-up to #48209 - those hardcoded rules are replacing these default settings, which will make the rules clearer by removing the "override" scenario. (No release notes because granular tool permissions are still behind a feature flag.) Release Notes: - N/A
|
So |
Contributor
|
The |
adb-sh
pushed a commit
to adb-sh/zed
that referenced
this pull request
Feb 5, 2026
…ustries#48209) This change introduces hardcoded security rules for the terminal tool that cannot be bypassed by any setting, including `always_allow_tool_actions`. ## Currently Blocked Commands - `rm -rf /` - Recursive deletion of root filesystem - `rm -rf ~` - Recursive deletion of home directory These rules are checked **before** the `always_allow_tool_actions` global flag, ensuring they can never be bypassed. The rules also check parsed sub-commands, so `ls && rm -rf /` is also blocked. Release Notes: - Certain known-bad tool uses are now automatically blocked, such as the terminal tool attempting to run `rm -rf /` or `rm -rf ~`
adb-sh
pushed a commit
to adb-sh/zed
that referenced
this pull request
Feb 5, 2026
Follow-up to zed-industries#48209 - those hardcoded rules are replacing these default settings, which will make the rules clearer by removing the "override" scenario. (No release notes because granular tool permissions are still behind a feature flag.) Release Notes: - N/A
rtfeldman
added a commit
that referenced
this pull request
Feb 5, 2026
Follow-up to #48209 - those hardcoded rules are replacing these default settings, which will make the rules clearer by removing the "override" scenario. (No release notes because granular tool permissions are still behind a feature flag.) Release Notes: - N/A
Contributor
Author
naaiyy
added a commit
to Glass-HQ/Glass
that referenced
this pull request
Feb 16, 2026
Key changes: - Reduce monomorphizations in GPUI app.rs (zed-industries#48014) - Entities no longer implement Element directly, go through AnyElement (zed-industries#48217) - D3D11 resource upload optimization (zed-industries#48282) - Migrate features.edit_prediction_provider to edit_predictions.provider (zed-industries#48224) - Make mercury and sweep non-experimental (zed-industries#48227) - CompanionView consolidation in block_map (zed-industries#48223) - Show memory used by language servers (zed-industries#48226) - Settings links open sub pages (zed-industries#48212) - Tool security rules that can't be overridden (zed-industries#48209) - Add sweep_ai privacy mode setting (zed-industries#48220) - Configurable REPL output size limits (zed-industries#47114) - Fix .editorconfig files in subdirectories (zed-industries#48203) - Security updates: bytes v1.11.1, jsonwebtoken v10 - Git UI: hide "View on GitHub" for stashes (zed-industries#48271) - Indent guide fix in tree view with collapsed folders (zed-industries#48194) - Edit prediction fixes and improvements Conflict resolution: - collab/completion.rs, collab/rpc.rs: deleted (collab removed) - vim/search.rs: deleted (vim removed) - livekit_api/Cargo.toml: deleted (livekit removed) - GPUI files: deleted from Glass (handled in Obsydian-HQ/gpui) - migrations: combined both ours (m_2026_02_06) and upstream (m_2026_02_02, m_2026_02_03) - project.rs: kept collab functions removed, restored handle_create_file_for_peer for remote dev - lsp_store.rs: removed collab-only set_language_server_statuses_from_proto - proto.rs: kept CreateFileForPeer, removed CreateChannel/CreateChannelResponse - remote_servers.rs: merged import lists (kept native button imports + added Action) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This change introduces hardcoded security rules for the terminal tool that cannot be bypassed by any setting, including
always_allow_tool_actions.Currently Blocked Commands
rm -rf /- Recursive deletion of root filesystemrm -rf ~- Recursive deletion of home directoryThese rules are checked before the
always_allow_tool_actionsglobal flag, ensuring they can never be bypassed. The rules also check parsed sub-commands, sols && rm -rf /is also blocked.Release Notes:
rm -rf /orrm -rf ~