shell-safe-validator/README.md

# Shell Safe Validator

[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
[![Python Version](https://img.shields.io/badge/python-3.9%2B-blue)](https://www.python.org/downloads/)
[![PyPI Version](https://img.shields.io/badge/pypi-v0.1.0-red)](https://pypi.org/project/shell-safe-validator/)

A CLI tool that validates shell scripts and commands for safety issues before execution. It detects dangerous patterns like `rm -rf` with variables, unquoted variables, potential injection vulnerabilities, and missing error handling, suggesting safer alternatives with explanations.

## Features

- **Pattern-based dangerous command detection**: Identifies risky commands like `rm -rf` with variables, `sudo` without full path, `cp` without `-i`
- **Security vulnerability scanning**: Detects command injection, path traversal, and shell metacharacter injection
- **Best practices validation**: Checks for `set -e`, `set -u`, proper error handling, and quoted variables
- **Interactive safe-mode execution**: Execute validated commands safely with confirmation prompts
- **Configurable rule customization**: Load custom rules from YAML/JSON config files

## Installation

### From Source

```bash
git clone https://7000pct.gitea.bloupla.net/7000pctAUTO/shell-safe-validator.git
cd shell-safe-validator
pip install -e .
```

### From PyPI (coming soon)

```bash
pip install shell-safe-validator
```

## Usage

### Validate a Shell Script

```bash
shell-safe-validator validate script.sh
```

### Check a Single Command

```bash
shell-safe-validator check "rm -rf $VAR"
```

### Execute Safely with Confirmation

```bash
shell-safe-validator safe-exec "rm -rf /tmp/old_files"
```

### Use Custom Configuration

```bash
shell-safe-validator validate script.sh --config custom_rules.yaml
```

## Commands

### validate

Validate a shell script file for safety issues.

```bash
shell-safe-validator validate [OPTIONS] FILE
```

Options:
- `--config`: Path to custom rules YAML file
- `--severity`: Minimum severity level to report (low, medium, high, critical)
- `--output-format`: Output format (text, json, compact)

### check

Check a single shell command for safety issues.

```bash
shell-safe-validator check [OPTIONS] COMMAND
```

Options:
- `--severity`: Minimum severity level to report
- `--output-format`: Output format (text, json, compact)

### safe-exec

Execute a command safely with validation and confirmation.

```bash
shell-safe-validator safe-exec [OPTIONS] COMMAND
```

Options:
- `--dry-run`: Show what would be executed without running
- `--force`: Skip confirmation prompt

## Configuration

### Default Rules

The tool comes with comprehensive default rules stored in `config/default_rules.yaml`. These rules cover:

- **Critical**: Dangerous deletion commands, eval with variables, unrestricted sudo
- **High**: Unquoted variables, command injection patterns, path traversal
- **Medium**: Missing safety flags, improper error handling
- **Low**: Style suggestions and best practices

### Custom Rules

You can create custom rule files in YAML format:

```yaml
rules:
  - id: CUSTOM001
    name: Custom Rule Name
    pattern: rm -rf \$\w+
    severity: critical
    message: Custom message
    suggestion: Use a safer alternative
```

### Configuration File Precedence

1. `.shell-safe-validator.yaml` (project-level)
2. `~/.config/shell-safe-validator/rules.yaml` (user-level)
3. `config/default_rules.yaml` (built-in defaults)

## Examples

### Basic Validation

```bash
$ shell-safe-validator check "rm -rf $DIR"
[CRITICAL] Dangerous deletion with variable
  Command: rm -rf $DIR
  Suggestion: Avoid using variables with rm -rf. Use absolute paths or verify the variable content first.
```

### Script Validation

```bash
$ shell-safe-validator validate deploy.sh
Validating deploy.sh...

[HIGH] ? Line 15:
  Command: cp $SRC_DIR/* $DEST_DIR/
  Matched: $SRC_DIR
  Unquoted variable can cause word splitting and glob expansion
  Suggestion: Always quote variables: "$VAR" instead of $VAR

[MEDIUM] ? Line 23:
  Command: npm install
  Matched: npm install
  Command without error handling
  Suggestion: Add error handling with '|| exit 1' or '&&' operator

Validation complete: 2 issue(s) found (0 critical, 1 high, 1 medium, 0 low)
```

### Safe Execution

```bash
$ shell-safe-validator safe-exec "mkdir -p /tmp/test"
Warning: Command has 1 issue(s)
  [LOW] Script missing shebang line
Execute: mkdir -p /tmp/test
⚠️  This command will create a directory. Proceed? [y/N]: y
Command executed successfully
```

## Development

### Setup

```bash
git clone https://7000pct.gitea.bloupla.net/7000pctAUTO/shell-safe-validator.git
cd shell-safe-validator
pip install -e ".[dev]"
```

### Running Tests

```bash
pytest tests/ -v
pytest tests/ --cov=src
```

### Project Structure

```
shell-safe-validator/
├── src/
│   ├── __init__.py           # Package root
│   ├── cli.py                # CLI entry point
│   ├── models/               # Data models
│   │   ├── __init__.py
│   │   ├── finding.py        # Finding model
│   │   ├── rule.py           # Rule model
│   │   └── severity.py       # Severity enum
│   ├── validators/           # Validation modules
│   │   ├── __init__.py
│   │   ├── patterns.py       # Pattern-based detection
│   │   ├── security.py       # Security vulnerability scanning
│   │   └── best_practices.py # Best practices validation
│   ├── config/               # Configuration loading
│   │   ├── __init__.py
│   │   └── loader.py         # Config loader
│   └── utils/                # Utility functions
│       ├── __init__.py
│       └── shell_parser.py   # Shell parsing utilities
├── tests/
│   ├── __init__.py
│   ├── test_cli.py
│   ├── test_config.py
│   ├── test_utils.py
│   └── test_validators/
│       ├── __init__.py
│       ├── test_patterns.py
│       ├── test_security.py
│       └── test_best_practices.py
├── config/
│   └── default_rules.yaml
├── pyproject.toml
├── LICENSE
└── README.md
```

## Contributing

1. Fork the repository
2. Create a feature branch (`git checkout -b feature/amazing-feature`)
3. Commit your changes (`git commit -m 'Add some amazing feature'`)
4. Push to the branch (`git push origin feature/amazing-feature`)
5. Open a Pull Request

## License

This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.

## Acknowledgments

- Inspired by shellcheck and similar static analysis tools
- Built with Click for CLI and PyYAML for configuration