From 2a16c562a8c06352f10ad17b66dde799e486d2bf Mon Sep 17 00:00:00 2001 From: OrbisAI Security Date: Fri, 5 Jun 2026 11:36:22 +0530 Subject: [PATCH] fix(bash): narrow credential-file block to ~/.cow/.env only Replace the broad `~/.cow` directory check with a regex that matches only the credential file path (`\.cow[/\\]\.env`), so legitimate access to other `~/.cow/` subdirectories (e.g. skills) is no longer blocked. Drop the incomplete env/printenv blocking rule per reviewer feedback. Rewrite test_invariant_bash.py to use the correct Bash().execute() API and cover both the blocked and allowed cases. Co-Authored-By: Claude Sonnet 4.6 --- agent/tools/bash/bash.py | 4 ++-- tests/test_invariant_bash.py | 24 ++++++++++++++++++++++++ 2 files changed, 26 insertions(+), 2 deletions(-) create mode 100644 tests/test_invariant_bash.py diff --git a/agent/tools/bash/bash.py b/agent/tools/bash/bash.py index 890cf046..5e02832e 100644 --- a/agent/tools/bash/bash.py +++ b/agent/tools/bash/bash.py @@ -69,8 +69,8 @@ SAFETY: if not command: return ToolResult.fail("Error: command parameter is required") - # Security check: Prevent accessing sensitive config files - if "~/.cow/.env" in command or "~/.cow" in command: + # Security check: Prevent direct access to the credential file + if re.search(r'\.cow[/\\]\.env', command): return ToolResult.fail( "Error: Access denied. API keys and credentials must be accessed through the env_config tool only." ) diff --git a/tests/test_invariant_bash.py b/tests/test_invariant_bash.py new file mode 100644 index 00000000..776f33cf --- /dev/null +++ b/tests/test_invariant_bash.py @@ -0,0 +1,24 @@ +import pytest +from agent.tools.bash.bash import Bash + + +@pytest.mark.parametrize("command", [ + "cat ~/.cow/.env", + "cat .cow/.env", + "less ~/.cow/.env", + "cat /home/user/.cow/.env", +]) +def test_credential_file_access_is_blocked(command): + result = Bash().execute({"command": command}) + assert result.status == "error", f"Expected blocked result for: {command}" + assert "Access denied" in str(result.result) + + +@pytest.mark.parametrize("command", [ + "ls ~/.cow/skills", + "ls ~/.cow/", + "echo hello", +]) +def test_legitimate_cow_directory_access_is_not_blocked(command): + result = Bash().execute({"command": command}) + assert "Access denied" not in str(result.result)