Allow shell output redirections to /tmp/ in plan/explorer agents instead of denying them

ericdallo · ericdallo · commit b909df67dba4 · 2026-03-18T15:09:36.000-03:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,7 @@
 - Improve MCP error logging to show error code, message, and data instead of null.
 - Improve error handling when MCP promtps fail on server side.
 - Use rewrite-json to edit jsons without losing formatting.
+- Allow shell output redirections to `/tmp/` in plan/explorer agents instead of denying them.
 
 ## 0.115.1
 
diff --git a/src/eca/config.clj b/src/eca/config.clj
@@ -42,14 +42,14 @@
 (defn get-property [property] (System/getProperty property))
 
 (def ^:private dangerous-commands-regexes
-  [".*[12&]?>>?\\s*(?!/dev/null($|\\s))(?!&\\d+($|\\s))\\S+.*"
-   ".*\\|\\s*(tee|dd|xargs).*",
-   ".*\\b(sed|awk|perl)\\s+.*-i.*",
-   ".*\\b(rm|mv|cp|touch|mkdir)\\b.*",
-   ".*git\\s+(add|commit|push).*",
-   ".*npm\\s+install.*",
-   ".*-c\\s+[\"'].*open.*[\"']w[\"'].*",
-   ".*bash.*-c.*[12&]?>>?\\s*(?!/dev/null($|\\s))(?!&\\d+($|\\s))\\S+.*"])
+  [".*[12&]?>>?\\s*(?!/dev/null($|\\s))(?!/tmp/\\S*($|\\s))(?!&\\d+($|\\s))(?!>)\\S+.*" ;; output redirection (except /dev/null and /tmp/)
+   ".*\\|\\s*(tee|dd|xargs).*",                                                          ;; pipe to tee/dd/xargs
+   ".*\\b(sed|awk|perl)\\s+.*-i.*",                                                      ;; in-place editing
+   ".*\\b(rm|mv|cp|touch|mkdir)\\b.*",                                                   ;; file mutation commands
+   ".*git\\s+(add|commit|push).*",                                                       ;; git write ops
+   ".*npm\\s+install.*",                                                                 ;; npm install
+   ".*-c\\s+[\"'].*open.*[\"']w[\"'].*",                                                 ;; python open(...,'w')
+   ".*bash.*-c.*[12&]?>>?\\s*(?!/dev/null($|\\s))(?!/tmp/\\S*($|\\s))(?!&\\d+($|\\s))(?!>)\\S+.*"])
 
 (def ^:private openai-variants
   {"none" {:reasoning {:effort "none"}}
diff --git a/test/eca/features/tools_test.clj b/test/eca/features/tools_test.clj
@@ -324,6 +324,17 @@
         "date"
         "env"))
 
+    (testing "redirections to /tmp/ are not denied in plan mode"
+      (are [command] (not= :deny
+                           (f.tools/approval all-tools shell-tool
+                                             {"command" command} {} config "plan"))
+        "gh api repos/editor-code-assistant/eca-emacs/contents/eca-chat.el --jq '.content' 2>/dev/null | base64 -d 2>/dev/null > /tmp/eca-chat.el && wc -l /tmp/eca-chat.el"
+        "echo test > /tmp/output.txt"
+        "cat file.txt > /tmp/result.log"
+        "ls -la >> /tmp/listing.txt"
+        "some-cmd 2> /tmp/errors.log"
+        "bash -c 'echo test > /tmp/file.txt'"))
+
     (testing "same commands work fine in code agent mode (not denied)"
       (are [command] (not= :deny
                            (f.tools/approval all-tools shell-tool
