Shell Safe Validator
A CLI tool that validates shell scripts and commands for safety issues before execution. It detects dangerous patterns like rm -rf with variables, unquoted variables, potential injection vulnerabilities, and missing error handling, suggesting safer alternatives with explanations.
Features
- Pattern-based dangerous command detection: Identifies risky commands like
rm -rfwith variables,sudowithout full path,cpwithout-i - Security vulnerability scanning: Detects command injection, path traversal, and shell metacharacter injection
- Best practices validation: Checks for
set -e,set -u, proper error handling, and quoted variables - Interactive safe-mode execution: Execute validated commands safely with confirmation prompts
- Configurable rule customization: Load custom rules from YAML/JSON config files
Installation
From Source
git clone https://7000pct.gitea.bloupla.net/7000pctAUTO/shell-safe-validator.git
cd shell-safe-validator
pip install -e .
From PyPI (coming soon)
pip install shell-safe-validator
Usage
Validate a Shell Script
shell-safe-validator validate script.sh
Check a Single Command
shell-safe-validator check "rm -rf $VAR"
Execute Safely with Confirmation
shell-safe-validator safe-exec "rm -rf /tmp/old_files"
Use Custom Configuration
shell-safe-validator validate script.sh --config custom_rules.yaml
Commands
validate
Validate a shell script file for safety issues.
shell-safe-validator validate [OPTIONS] FILE
Options:
--config: Path to custom rules YAML file--severity: Minimum severity level to report (low, medium, high, critical)--output-format: Output format (text, json, compact)
check
Check a single shell command for safety issues.
shell-safe-validator check [OPTIONS] COMMAND
Options:
--severity: Minimum severity level to report--output-format: Output format (text, json, compact)
safe-exec
Execute a command safely with validation and confirmation.
shell-safe-validator safe-exec [OPTIONS] COMMAND
Options:
--dry-run: Show what would be executed without running--force: Skip confirmation prompt
Configuration
Default Rules
The tool comes with comprehensive default rules stored in config/default_rules.yaml. These rules cover:
- Critical: Dangerous deletion commands, eval with variables, unrestricted sudo
- High: Unquoted variables, command injection patterns, path traversal
- Medium: Missing safety flags, improper error handling
- Low: Style suggestions and best practices
Custom Rules
You can create custom rule files in YAML format:
rules:
- id: CUSTOM001
name: Custom Rule Name
pattern: rm -rf \$\w+
severity: critical
message: Custom message
suggestion: Use a safer alternative
Configuration File Precedence
.shell-safe-validator.yaml(project-level)~/.config/shell-safe-validator/rules.yaml(user-level)config/default_rules.yaml(built-in defaults)
Examples
Basic Validation
$ shell-safe-validator check "rm -rf $DIR"
[CRITICAL] Dangerous deletion with variable
Command: rm -rf $DIR
Suggestion: Avoid using variables with rm -rf. Use absolute paths or verify the variable content first.
Script Validation
$ shell-safe-validator validate deploy.sh
Validating deploy.sh...
[HIGH] ? Line 15:
Command: cp $SRC_DIR/* $DEST_DIR/
Matched: $SRC_DIR
Unquoted variable can cause word splitting and glob expansion
Suggestion: Always quote variables: "$VAR" instead of $VAR
[MEDIUM] ? Line 23:
Command: npm install
Matched: npm install
Command without error handling
Suggestion: Add error handling with '|| exit 1' or '&&' operator
Validation complete: 2 issue(s) found (0 critical, 1 high, 1 medium, 0 low)
Safe Execution
$ shell-safe-validator safe-exec "mkdir -p /tmp/test"
Warning: Command has 1 issue(s)
[LOW] Script missing shebang line
Execute: mkdir -p /tmp/test
⚠️ This command will create a directory. Proceed? [y/N]: y
Command executed successfully
Development
Setup
git clone https://7000pct.gitea.bloupla.net/7000pctAUTO/shell-safe-validator.git
cd shell-safe-validator
pip install -e ".[dev]"
Running Tests
pytest tests/ -v
pytest tests/ --cov=src
Project Structure
shell-safe-validator/
├── src/
│ ├── __init__.py # Package root
│ ├── cli.py # CLI entry point
│ ├── models/ # Data models
│ │ ├── __init__.py
│ │ ├── finding.py # Finding model
│ │ ├── rule.py # Rule model
│ │ └── severity.py # Severity enum
│ ├── validators/ # Validation modules
│ │ ├── __init__.py
│ │ ├── patterns.py # Pattern-based detection
│ │ ├── security.py # Security vulnerability scanning
│ │ └── best_practices.py # Best practices validation
│ ├── config/ # Configuration loading
│ │ ├── __init__.py
│ │ └── loader.py # Config loader
│ └── utils/ # Utility functions
│ ├── __init__.py
│ └── shell_parser.py # Shell parsing utilities
├── tests/
│ ├── __init__.py
│ ├── test_cli.py
│ ├── test_config.py
│ ├── test_utils.py
│ └── test_validators/
│ ├── __init__.py
│ ├── test_patterns.py
│ ├── test_security.py
│ └── test_best_practices.py
├── config/
│ └── default_rules.yaml
├── pyproject.toml
├── LICENSE
└── README.md
Contributing
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add some amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
License
This project is licensed under the MIT License - see the LICENSE file for details.
Acknowledgments
- Inspired by shellcheck and similar static analysis tools
- Built with Click for CLI and PyYAML for configuration