Expand hardcoded agent terminal security rules#48399
Merged
Conversation
- Block rm -rf $HOME, rm -rf ${HOME}, rm -rf ., rm -rf .., and
trailing-slash variants of all of the above
- Update existing ~ pattern to also block rm -rf ~/
- Simplify flag character classes from [rRfF] to [rf] since the regex
is already case-insensitive
- Add comprehensive tests for flag ordering (-fr), uppercase (RM -RF),
split flags (-r -f), and chained commands
c59fd89 to
c581b24
Compare
adb-sh
pushed a commit
to adb-sh/zed
that referenced
this pull request
Feb 5, 2026
Expands the hardcoded security rules that block dangerous `rm` commands
in the agent terminal tool.
### New blocked patterns
- `rm -rf $HOME` / `rm -rf $HOME/` / `rm -rf ${HOME}` / `rm -rf
${HOME}/`
- `rm -rf .` / `rm -rf ./`
- `rm -rf ..` / `rm -rf ../`
- `rm -rf ~/` (previously only `rm -rf ~` was blocked)
### Flag handling improvements
- Simplified the flag character class from `[rRfF]` to `[rf]` since the
regex is already compiled with case-insensitive mode — less confusing,
same behavior.
- Added tests verifying that reversed flags (`-fr`), uppercase (`RM
-RF`), split flags (`-r -f`), and chained commands all get caught.
### Safe commands still allowed
Paths like `rm -rf ./build`, `rm -rf ~/Documents`, `rm -rf
$HOME/Documents`, `rm -rf ../some_dir`, and `rm -rf .hidden_dir` are
**not** blocked.
Release Notes:
- Auto-block a wider range of agent terminal commands, e.g. `rm -rf
$HOME` in addition to `rm -rf ~`
rtfeldman
added a commit
that referenced
this pull request
Feb 5, 2026
Expands the hardcoded security rules that block dangerous `rm` commands
in the agent terminal tool.
### New blocked patterns
- `rm -rf $HOME` / `rm -rf $HOME/` / `rm -rf ${HOME}` / `rm -rf
${HOME}/`
- `rm -rf .` / `rm -rf ./`
- `rm -rf ..` / `rm -rf ../`
- `rm -rf ~/` (previously only `rm -rf ~` was blocked)
### Flag handling improvements
- Simplified the flag character class from `[rRfF]` to `[rf]` since the
regex is already compiled with case-insensitive mode — less confusing,
same behavior.
- Added tests verifying that reversed flags (`-fr`), uppercase (`RM
-RF`), split flags (`-r -f`), and chained commands all get caught.
### Safe commands still allowed
Paths like `rm -rf ./build`, `rm -rf ~/Documents`, `rm -rf
$HOME/Documents`, `rm -rf ../some_dir`, and `rm -rf .hidden_dir` are
**not** blocked.
Release Notes:
- Auto-block a wider range of agent terminal commands, e.g. `rm -rf
$HOME` in addition to `rm -rf ~`
naaiyy
added a commit
to Glass-HQ/Glass
that referenced
this pull request
Feb 16, 2026
Key changes: - Semantic highlighting support (zed-industries#46356) - major new editor feature - Edit predictions via Ollama (zed-industries#48233) - local AI edit predictions - Side-by-side diff: staging/unstaging/restoring on LHS, hunk controls, gutter highlights - Branch diff fix when committing/changing branches (zed-industries#48388) - Settings UI: AI tool permissions page (zed-industries#48277) - Version bump to v0.224 (kept our v0.0.1) - Close toasts on middle mouse click (zed-industries#48208) - DAP settings made optional (zed-industries#43647) - REPL quality of life improvements (zed-industries#47533) - Mercury accept/reject tracking (zed-industries#48306) - Toolbar menu and EP menu telemetry (zed-industries#48225, zed-industries#48229) - lsp::Symbol now includes container_name (zed-industries#46822) - Nushell/Elvish/Rc always_allow patterns (zed-industries#48395) - Agent terminal security rules expanded (zed-industries#48399) Conflict resolution: - collab/rpc.rs, collab_ui, collab editor_tests: deleted (collab removed) - vim (yank, replace, test): deleted (vim removed) - util/shell.rs: deleted (extracted to Obsydian-HQ/gpui) - GPUI (app.rs, windows/platform.rs, platform_scheduler.rs): deleted (Obsydian) - editor/items.rs: merged imports (added ExcerptId, ExcerptRange, kept SearchWithinRange) - lsp_store.rs: added SemanticTokensData import, removed GlobalLogStore/LanguageServerKind - proto.rs: added SemanticTokens to entity_messages, removed JoinProject/LeaveProject - lsp_button.rs: kept empty server UI, added is_via_ssh check from upstream - edit_prediction_button.rs: kept TitleBarItemView import - vscode_import.rs: added semantic_token_rules, removed helix_mode (not in our struct) - zed/Cargo.toml: kept v0.0.1 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Expands the hardcoded security rules that block dangerous
rmcommands in the agent terminal tool.Fixes #37343
New blocked patterns
rm -rf $HOME/rm -rf $HOME//rm -rf ${HOME}/rm -rf ${HOME}/rm -rf ./rm -rf ./rm -rf ../rm -rf ../rm -rf ~/(previously onlyrm -rf ~was blocked)Flag handling improvements
[rRfF]to[rf]since the regex is already compiled with case-insensitive mode — less confusing, same behavior.-fr), uppercase (RM -RF), split flags (-r -f), and chained commands all get caught.Safe commands still allowed
Paths like
rm -rf ./build,rm -rf ~/Documents,rm -rf $HOME/Documents,rm -rf ../some_dir, andrm -rf .hidden_dirare not blocked.Release Notes:
rm -rf $HOMEin addition torm -rf ~