32 lines
1.0 KiB
Bash
Executable File
32 lines
1.0 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
payload_json="$(cat)"
|
|
|
|
PAYLOAD_JSON="$payload_json" python3 - <<'PY'
|
|
import json
|
|
import os
|
|
import re
|
|
import sys
|
|
|
|
payload = json.loads(os.environ.get("PAYLOAD_JSON", "{}"))
|
|
command = str(payload.get("tool_input", {}).get("command", "")).strip()
|
|
|
|
blocked = [
|
|
(r"(^|\s)rm\s+-[^;&|]*[rf]", "Recursive or forced removal must be reviewed manually."),
|
|
(r"(^|\s)sudo(\s|$)", "sudo is blocked for Devin sessions in this workspace."),
|
|
(r"(^|\s)git\s+reset\s+--hard(\s|$)", "Hard resets can discard user work."),
|
|
(r"(^|\s)git\s+checkout\s+--(\s|$)", "Checkout restore can discard user work."),
|
|
(r"(^|\s)git\s+clean(\s|$)", "git clean can delete untracked user work."),
|
|
(r"(^|\s)chmod\s+-R(\s|$)", "Recursive chmod is too broad for an automated hook."),
|
|
(r"(^|\s)chown\s+-R(\s|$)", "Recursive chown is too broad for an automated hook."),
|
|
]
|
|
|
|
for pattern, reason in blocked:
|
|
if re.search(pattern, command):
|
|
print(json.dumps({"decision": "block", "reason": reason}))
|
|
sys.exit(2)
|
|
|
|
sys.exit(0)
|
|
PY
|