aljaz/goose
1
0
Fork 0
mirror of https://github.com/aljazceru/goose.git synced 2025-12-19 15:14:21 +01:00
Code Issues Packages Projects Releases Wiki Activity

revert: check is_command_allowed for allowlisted extensions (#2244)

Browse Source
This commit is contained in:
Salman Mohammed
2025-04-17 13:34:25 -04:00
committed by GitHub
parent a1fe3bcbf1
commit 2b3ff8e020
1 changed files with 17 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
crates/goose-server/src/routes/extension.rs
View File

@@ -214,17 +214,17 @@ async fn add_extension(
env_keys, env_keys,
timeout, timeout,
} => { } => {
// Check allowlist for Stdio extensions // TODO: We can uncomment once bugs are fixed. Check allowlist for Stdio extensions
if !is_command_allowed(&cmd, &args) { // if !is_command_allowed(&cmd, &args) {
return Ok(Json(ExtensionResponse { // return Ok(Json(ExtensionResponse {
error: true, // error: true,
message: Some(format!( // message: Some(format!(
"Extension '{}' is not in the allowed extensions list. Command: '{} {}'. If you require access please ask your administrator to update the allowlist.", // "Extension '{}' is not in the allowed extensions list. Command: '{} {}'. If you require access please ask your administrator to update the allowlist.",
args.join(" "), // args.join(" "),
cmd, args.join(" ") // cmd, args.join(" ")
)), // )),
})); // }));
} // }
let mut env_map = HashMap::new(); let mut env_map = HashMap::new();
for key in env_keys { for key in env_keys {
@@ -342,6 +342,7 @@ pub fn routes(state: AppState) -> Router {
/// Structure representing the allowed extensions from the YAML file /// Structure representing the allowed extensions from the YAML file
#[derive(Deserialize, Debug, Clone)] #[derive(Deserialize, Debug, Clone)]
struct AllowedExtensions { struct AllowedExtensions {
#[allow(dead_code)]
extensions: Vec<ExtensionAllowlistEntry>, extensions: Vec<ExtensionAllowlistEntry>,
} }
@@ -350,13 +351,16 @@ struct AllowedExtensions {
struct ExtensionAllowlistEntry { struct ExtensionAllowlistEntry {
#[allow(dead_code)] #[allow(dead_code)]
id: String, id: String,
#[allow(dead_code)]
command: String, command: String,
} }
// Global cache for the allowed extensions // Global cache for the allowed extensions
#[allow(dead_code)]
static ALLOWED_EXTENSIONS: OnceLock<Option<AllowedExtensions>> = OnceLock::new(); static ALLOWED_EXTENSIONS: OnceLock<Option<AllowedExtensions>> = OnceLock::new();
/// Fetches and parses the allowed extensions from the URL specified in GOOSE_ALLOWLIST env var /// Fetches and parses the allowed extensions from the URL specified in GOOSE_ALLOWLIST env var
#[allow(dead_code)]
fn fetch_allowed_extensions() -> Option<AllowedExtensions> { fn fetch_allowed_extensions() -> Option<AllowedExtensions> {
match env::var("GOOSE_ALLOWLIST") { match env::var("GOOSE_ALLOWLIST") {
Err(_) => { Err(_) => {
@@ -390,11 +394,13 @@ fn fetch_allowed_extensions() -> Option<AllowedExtensions> {
} }
/// Gets the cached allowed extensions or fetches them if not yet cached /// Gets the cached allowed extensions or fetches them if not yet cached
#[allow(dead_code)]
fn get_allowed_extensions() -> &'static Option<AllowedExtensions> { fn get_allowed_extensions() -> &'static Option<AllowedExtensions> {
ALLOWED_EXTENSIONS.get_or_init(fetch_allowed_extensions) ALLOWED_EXTENSIONS.get_or_init(fetch_allowed_extensions)
} }
/// Checks if a command is allowed based on the allowlist /// Checks if a command is allowed based on the allowlist
#[allow(dead_code)]
fn is_command_allowed(cmd: &str, args: &[String]) -> bool { fn is_command_allowed(cmd: &str, args: &[String]) -> bool {
// Check if bypass is enabled // Check if bypass is enabled
if let Ok(bypass_value) = env::var("GOOSE_ALLOWLIST_BYPASS") { if let Ok(bypass_value) = env::var("GOOSE_ALLOWLIST_BYPASS") {