Package org.machanism.machai.ai.tools

Class CommandSecurityChecker

java.lang.Object
org.machanism.machai.ai.tools.CommandSecurityChecker
public class CommandSecurityChecker extends Object
Loads and evaluates command deny-list rules used by host-side command execution tools.

The checker reads one or more rule resources and evaluates an input command line against those rules. Each non-empty, non-comment line of a deny-list file must use one of the following formats:

  • REGEX:... – a Java regular expression; a match anywhere in the command is considered dangerous
  • KEYWORD:... – a case-insensitive substring match

This class provides a best-effort heuristic check. It should be used in addition to an allow-list and other host security controls.

  • Constructor Details

    • CommandSecurityChecker

      public CommandSecurityChecker(Configurator configurator) throws IOException
      Creates a new checker and loads deny-list rules from an operating-system specific classpath resource.

      The following resources are expected to exist on the classpath:

      • denylist/windows.txt when running on Windows
      • denylist/unix.txt when running on a Unix-like OS

      In addition, the host may provide DENYLIST_PROP_NAME to extend or override the default deny-list.

      Parameters:
      configurator - configurator used to optionally extend the deny-list
      Throws:
      IOException - if the selected resource cannot be found or read
      IllegalArgumentException - if no deny-list is defined for the current operating system

  • Method Details

    • denyCheck

      public void denyCheck(String command) throws DenyException
      Checks whether the supplied command matches any deny-list rule.

      If the command matches a rule, a DenyException is thrown containing a message identifying the matched rule.

      Parameters:
      command - shell command to check
      Throws:
      DenyException - if the command matches a deny-list rule