feat: enhance safety manager to block absolute-path deletions in various contexts

Author: haseeb-heaven

libs/safety_manager.py

@@ -62,10 +62,13 @@ class ExecutionSafetyManager:
 
 	DANGEROUS_PATTERNS = [
 		(r"\brm\s+-rf\b", "Recursive deletion is blocked."),
+		(r"\brm\s+/", "Absolute-path deletion is blocked."),
 		(r"\bdel\s+/(?:f|q|s)", "Destructive delete command is blocked."),
+		(r"\bdel\s+[A-Za-z]:(?:\\\\|/)", "Absolute-path deletion is blocked."),
 		(r"\brmdir\s+/(?:s|q)", "Recursive directory removal is blocked."),
 		(r"\brd\s+/s\s+/q\b", "Recursive directory removal is blocked."),
 		(r"Remove-Item\s+.+-Recurse", "Recursive PowerShell deletion is blocked."),
+		(r"Remove-Item\s+[\"'](?:[A-Za-z]:\\\\|/)", "Deleting absolute-path items in PowerShell is blocked."),
 		(r"\bformat\s+[a-z]:", "Disk formatting is blocked."),
 		(r"\bmkfs\b", "Filesystem formatting is blocked."),
 		(r"\bshutdown\b", "System shutdown commands are blocked."),
@@ -75,8 +78,24 @@ class ExecutionSafetyManager:
 		(r"\bcipher\s+/w\b", "Secure wipe commands are blocked."),
 		(r"\bdiskpart\b", "Disk management commands are blocked."),
 		(r"shutil\.rmtree\s*\(", "Recursive directory deletion in code is blocked."),
+		# Block direct absolute-path deletes.
 		(r"os\.remove\s*\(\s*[\"'](?:[A-Za-z]:\\\\|/)", "Deleting absolute-path files is blocked."),
 		(r"os\.rmdir\s*\(\s*[\"'](?:[A-Za-z]:\\\\|/)", "Removing absolute-path directories is blocked."),
+		# Block absolute-path deletes when the path is constructed via os.path.join().
+		(r"os\.remove\s*\(\s*os\.path\.join\s*\(\s*[\"'](?:[A-Za-z]:\\\\|/)", "Deleting absolute-path files is blocked."),
+		(r"os\.rmdir\s*\(\s*os\.path\.join\s*\(\s*[\"'](?:[A-Za-z]:\\\\|/)", "Removing absolute-path directories is blocked."),
+		(r"shutil\.rmtree\s*\(\s*os\.path\.join\s*\(\s*[\"'](?:[A-Za-z]:\\\\|/)", "Recursive directory deletion in code is blocked."),
+		# Catch absolute-path string literals anywhere inside delete function calls.
+		(r"os\.remove\s*\(\s*[^)]*[\"'](?:[A-Za-z]:\\\\|/)", "Deleting absolute-path files is blocked."),
+		(r"os\.rmdir\s*\(\s*[^)]*[\"'](?:[A-Za-z]:\\\\|/)", "Removing absolute-path directories is blocked."),
+		# Node.js filesystem deletions on absolute paths:
+		# In practice we see patterns like:
+		#   const directory = 'D:\\Temp';
+		#   const filePath = path.join(directory, file);
+		#   fs.unlinkSync(filePath);
+		# The absolute path isn't inside unlinkSync(...), so we match both in the same script.
+		(r"(?s)(?=.*fs\.(?:unlinkSync|rmSync))(?=.*[`'\"][A-Za-z]:[\\\\/])", "Deleting absolute-path files is blocked."),
+		(r"(?s)(?=.*fs\.rmdirSync)(?=.*[`'\"][A-Za-z]:[\\\\/])", "Removing absolute-path directories is blocked."),
 		(r"subprocess\.(?:run|Popen)\s*\(.+(?:rm -rf|shutdown|format)", "Dangerous subprocess invocation is blocked."),
 	]
 

tests/test_interpreter.py

@@ -159,6 +159,55 @@ def test_safety_manager_blocks_windows_recursive_delete_alias(self):
         decision = safety_manager.assess_execution('rd /s /q "C:\\Users\\hasee\\Desktop"', "command")
         self.assertFalse(decision.allowed)
 
+    def test_safety_manager_blocks_os_remove_when_building_absolute_path(self):
+        safety_manager = ExecutionSafetyManager()
+        code = r"""
+import os
+for filename in os.listdir('D:\\Temp'):
+    if filename.endswith('.txt'):
+        os.remove(os.path.join('D:\\Temp', filename))
+"""
+        decision = safety_manager.assess_execution(code, "code")
+        self.assertFalse(decision.allowed)
+        self.assertTrue(any("Deleting absolute-path" in r for r in decision.reasons))
+
+    def test_safety_manager_allows_relative_file_delete(self):
+        safety_manager = ExecutionSafetyManager()
+        code = r"import os\nos.remove('temp.txt')"
+        decision = safety_manager.assess_execution(code, "code")
+        self.assertTrue(decision.allowed)
+
+    def test_safety_manager_blocks_absolute_path_del_command(self):
+        safety_manager = ExecutionSafetyManager()
+        decision = safety_manager.assess_execution(r"del D:\\Temp\\a.txt", "command")
+        self.assertFalse(decision.allowed)
+
+    def test_safety_manager_blocks_absolute_path_rm_command(self):
+        safety_manager = ExecutionSafetyManager()
+        decision = safety_manager.assess_execution(r"rm /tmp/a.txt", "command")
+        self.assertFalse(decision.allowed)
+
+    def test_safety_manager_blocks_js_unlink_on_absolute_path_join(self):
+        safety_manager = ExecutionSafetyManager()
+        code = r"""
+const fs = require('fs');
+const path = require('path');
+const directory = 'D:\\Temp';
+const files = fs.readdirSync(directory);
+for (const file of files) {
+  const filePath = path.join(directory, file);
+  fs.unlinkSync(filePath);
+}
+"""
+        decision = safety_manager.assess_execution(code, "code")
+        self.assertFalse(decision.allowed)
+
+    def test_safety_manager_allows_js_unlink_on_relative_path(self):
+        safety_manager = ExecutionSafetyManager()
+        code = r"const fs = require('fs');\nfs.unlinkSync('temp.txt');"
+        decision = safety_manager.assess_execution(code, "code")
+        self.assertTrue(decision.allowed)
+
     @patch("libs.interpreter_lib.Interpreter.initialize_client", return_value=None)
     @patch("libs.utility_manager.UtilityManager.initialize_readline_history", return_value=None)
     def test_simple_exact_print_task_is_simplified(self, _mock_history, _mock_client):