Deep Dive: Code-Layer Security - 20+ Validators Behind BashTool
Walks the layered validation pipeline that backs up the prompt when the model ignores its 'suggestions': control-character checks, multi-view quote extraction, obfuscated-flag detection (ANSI-C quoting, empty-quote concatenation, quote chains, triple quotes), brace-expansion and backslash-escaped-operator traps, hard path constraints, a whitelist-plus-denylist sed validator, and per-tool exit-code semantics. Every validator returns allow/ask/deny/passthrough, and misparsing-class findings outrank informational ones.
View source on GitHubKey takeaways
- 01
Security analysis needs multiple views of a command: double quotes kept, fully unquoted, and quote characters preserved
- 02
Each validator does exactly one job and returns allow / ask / deny / passthrough - failures stay isolated and fixable
- 03
Parser-vs-bash disagreements (brace expansion, backslash-escaped operators) are the most dangerous bug class
- 04
Path validation is the hardest constraint: system directories stay off-limits regardless of prompts or permission rules
- 05
Exit-code semantics differ per tool: grep/diff/test returning 1 is signal, not error
- 06
Warn on destructive patterns (git reset --hard, rm -rf) without blocking - transparency over obstruction
Flows built on this research
Agent QA & Security
Build a Command Security Pipeline for Your Agent
Replace scattered if-else safety checks with a layered validator pipeline: single-purpose checks, an allow/ask/deny/passthrough contract, and severity-aware ordering.
4 steps · 120-180 minutes
Agent QA & Security
Detect Command Obfuscation and Parser-Mismatch Attacks
Catch the attacks your parser cannot see: quote-concatenation flags, ANSI-C quoting, brace expansion, and escaped operators that make bash execute something your checks never inspected.
4 steps · 120-180 minutes
Harness Engineering
Pair Every Prompt Rule with a Code Backstop
Prompts guide, code enforces: inventory your agent's soft rules, back each critical one with an independent deterministic check, and define the allow/ask/deny escalation.
4 steps · 120-180 minutes
Harness Engineering
Hook a Permission Layer onto Dangerous Tools
Intercept dangerous tool calls with a hook layer: pattern rules, approval gates, and blocks that the model cannot talk its way past.
4 steps · 60-90 minutes
Harness Engineering
Rate and Blast-Radius Limits for Destructive Tools
Cap how much damage any window of agent activity can do: rate limits, change budgets, checkpoints, and undo.
4 steps · 60-90 minutes