Mike Swanson
4b03334304
Block inline pwsh -Command/-c (force .ps1 file approach) and Windows backslash paths in Bash commands (enforce forward slashes). Eliminates the 2-3 retry loop on PowerShell operations and prevents the /tmp path mismatch that caused the stale-payload Syncro incident. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
27 lines
1.1 KiB
Bash
27 lines
1.1 KiB
Bash
#!/usr/bin/env bash
|
|
# Pre-tool hook: block inline PowerShell, enforce .ps1 file approach.
|
|
#
|
|
# Blocks powershell.exe -Command and pwsh -Command / pwsh -c inline execution.
|
|
# Forces: write a .ps1 file, then run pwsh -NoProfile -File script.ps1
|
|
#
|
|
# Why: Git Bash expands $_ and mangles quoting before PowerShell sees the
|
|
# command. Inline execution fails 2-3 times before landing on the .ps1 approach.
|
|
|
|
input=$(cat)
|
|
cmd=$(echo "$input" | jq -r '.tool_input.command // ""' 2>/dev/null)
|
|
|
|
# Match: (powershell[.exe] | pwsh) followed by -Command or -c (as a flag, not a filename)
|
|
if echo "$cmd" | grep -qiE '^\s*(powershell(\.exe)?|pwsh)\s+(-Command|-c) ' || \
|
|
echo "$cmd" | grep -qiE '^\s*(powershell(\.exe)?|pwsh)\s+(-Command|-c)$'; then
|
|
echo "BLOCKED: Do not use powershell.exe or pwsh with inline -Command/-c arguments."
|
|
echo ""
|
|
echo "Git Bash mangles quoting and variable expansion before PowerShell sees the command."
|
|
echo ""
|
|
echo "Correct approach:"
|
|
echo " 1. Write the script using the Write tool to a .ps1 file"
|
|
echo " 2. Run: pwsh -NoProfile -File \"path/to/script.ps1\""
|
|
exit 2
|
|
fi
|
|
|
|
exit 0
|