go-agent/security.go

package agent

import (
	"context"
	"fmt"
	"os/exec"
	"path/filepath"
	"regexp"
	"strings"
)

var safeNameRegex = regexp.MustCompile(`^[a-zA-Z0-9\-\_\.]+$`)

// SanitizePath ensures a filename or directory name is safe and prevents path traversal.
// Returns filepath.Base of the input after validation.
func SanitizePath(input string) (string, error) {
	base := filepath.Base(input)
	if !safeNameRegex.MatchString(base) {
		return "", fmt.Errorf("agentci.SanitizePath: invalid characters in path element: %s", input)
	}
	if base == "." || base == ".." || base == "/" {
		return "", fmt.Errorf("agentci.SanitizePath: invalid path element: %s", base)
	}
	return base, nil
}

// EscapeShellArg wraps a string in single quotes for safe remote shell insertion.
// Prefer exec.Command arguments over constructing shell strings where possible.
func EscapeShellArg(arg string) string {
	return "'" + strings.ReplaceAll(arg, "'", "'\\''") + "'"
}

// SecureSSHCommand creates an SSH exec.Cmd with strict host key checking and batch mode.
// Deprecated: Use SecureSSHCommandContext for context-aware cancellation.
func SecureSSHCommand(host string, remoteCmd string) *exec.Cmd {
	return SecureSSHCommandContext(context.Background(), host, remoteCmd)
}

// SecureSSHCommandContext creates an SSH exec.Cmd with context support for cancellation,
// strict host key checking, and batch mode.
func SecureSSHCommandContext(ctx context.Context, host string, remoteCmd string) *exec.Cmd {
	return exec.CommandContext(ctx, "ssh",
		"-o", "StrictHostKeyChecking=yes",
		"-o", "BatchMode=yes",
		"-o", "ConnectTimeout=10",
		host,
		remoteCmd,
	)
}

// MaskToken returns a masked version of a token for safe logging.
func MaskToken(token string) string {
	if len(token) < 8 {
		return "*****"
	}
	return token[:4] + "****" + token[len(token)-4:]
}
feat: initial go-agent — agentci + jobrunner + plugins marketplace Consolidates three codebases into a single agent orchestration repo: - agentci (from go-scm): Clotho dual-run verification, agent config, SSH security (sanitisation, secure commands, token masking) - jobrunner (from go-scm): Poll-dispatch-report pipeline with 7 handlers (dispatch, completion, auto-merge, publish draft, dismiss reviews, send fix command, tick parent epic) - plugins marketplace (from agentic/plugins): 27 Claude/Codex/Gemini plugins with shared MCP server All 150+ tests passing across 6 packages. Co-Authored-By: Virgil <virgil@lethean.io> 2026-02-21 15:47:19 +00:00			`package agent`

			`import (`
			`"context"`
			`"fmt"`
			`"os/exec"`
			`"path/filepath"`
			`"regexp"`
			`"strings"`
			`)`

			var safeNameRegex = regexp.MustCompile(`^[a-zA-Z0-9\-\_\.]+$`)

			`// SanitizePath ensures a filename or directory name is safe and prevents path traversal.`
			`// Returns filepath.Base of the input after validation.`
			`func SanitizePath(input string) (string, error) {`
			`base := filepath.Base(input)`
			`if !safeNameRegex.MatchString(base) {`
			`return "", fmt.Errorf("agentci.SanitizePath: invalid characters in path element: %s", input)`
			`}`
			`if base == "." \|\| base == ".." \|\| base == "/" {`
			`return "", fmt.Errorf("agentci.SanitizePath: invalid path element: %s", base)`
			`}`
			`return base, nil`
			`}`

			`// EscapeShellArg wraps a string in single quotes for safe remote shell insertion.`
			`// Prefer exec.Command arguments over constructing shell strings where possible.`
			`func EscapeShellArg(arg string) string {`
			`return "'" + strings.ReplaceAll(arg, "'", "'\\''") + "'"`
			`}`

			`// SecureSSHCommand creates an SSH exec.Cmd with strict host key checking and batch mode.`
			`// Deprecated: Use SecureSSHCommandContext for context-aware cancellation.`
			`func SecureSSHCommand(host string, remoteCmd string) *exec.Cmd {`
			`return SecureSSHCommandContext(context.Background(), host, remoteCmd)`
			`}`

			`// SecureSSHCommandContext creates an SSH exec.Cmd with context support for cancellation,`
			`// strict host key checking, and batch mode.`
			`func SecureSSHCommandContext(ctx context.Context, host string, remoteCmd string) *exec.Cmd {`
			`return exec.CommandContext(ctx, "ssh",`
			`"-o", "StrictHostKeyChecking=yes",`
			`"-o", "BatchMode=yes",`
			`"-o", "ConnectTimeout=10",`
			`host,`
			`remoteCmd,`
			`)`
			`}`

			`// MaskToken returns a masked version of a token for safe logging.`
			`func MaskToken(token string) string {`
			`if len(token) < 8 {`
			`return "*****"`
			`}`
			`return token[:4] + "****" + token[len(token)-4:]`
			`}`