GitHub - kaplanelad/shellfirm: Intercept any risky patterns (default or defined by you) and prompt you a small challenge for double verification
Skip to content

Intercept any risky patterns (default or defined by you) and prompt you a small challenge for double verification

License

Notifications You must be signed in to change notification settings

kaplanelad/shellfirm

Repository files navigation

Buy Me a Coffee at ko-fi.com

shellfirm

Opppppsss you did it again? 😱 😱 😰

How do I save myself from myself?

  • rm -rf *
  • git reset --hard Before hitting the enter key?
  • kubectl delete ns Stop! you are going to delete a lot of resources
  • And many more!

Do you want to learn from other people's mistakes?

shellfirm will intercept any risky patterns and immediately prompt a small challenge that will double verify your action, think of it as a captcha for your terminal.

rm -rf /
#######################
# RISKY COMMAND FOUND #
#######################
* You are going to delete everything in the path.

Solve the challenge: 8 + 0 = ? (^C to cancel)

How does it work?

shellfirm will evaluate all the shell commands behind the scenes. If a risky pattern is detected, you will immediately get a prompt with the relevant warning to verify your command.

Example

Setup your shell

Install via brew

brew tap kaplanelad/tap && brew install shellfirm

Or download the binary file from releases page, unzip the file and move to /usr/local/bin folder.

Validate shellfirm installation

shellfirm --version

Verify installation

mkdir /tmp/shellfirm
cd /tmp/shellfirm
git reset --hard

Select your shell

Oh My Zsh Download zsh plugin:
curl https://raw.githubusercontent.com/kaplanelad/shellfirm/main/shell-plugins/shellfirm.plugin.oh-my-zsh.zsh --create-dirs -o ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/shellfirm/shellfirm.plugin.zsh

Add shellfirm to the list of Oh My Zsh plugins when Zsh is loaded(inside ~/.zshrc):

plugins=(... shellfirm)
Bash Bash implementation is based on https://github.com/rcaloras/bash-preexec project, which adds a pre-exec hook to catch the command before executing.
# Download bash-preexec hook functions. 
curl https://raw.githubusercontent.com/rcaloras/bash-preexec/master/bash-preexec.sh -o ~/.bash-preexec.sh

# Source our file at the end of our bash profile (e.g. ~/.bashrc, ~/.profile, or ~/.bash_profile)
echo '[[ -f ~/.bash-preexec.sh ]] && source ~/.bash-preexec.sh' >> ~/.bashrc

# Download shellfirm pre-exec function
curl https://raw.githubusercontent.com/kaplanelad/shellfirm/main/shell-plugins/shellfirm.plugin.sh -o ~/.shellfirm-plugin.sh

# Load pre-exec command on shell initialized
echo 'source ~/.shellfirm-plugin.sh' >> ~/.bashrc
fish
curl https://raw.githubusercontent.com/kaplanelad/shellfirm/main/shell-plugins/shellfirm.plugin.fish -o ~/.config/fish/conf.d/shellfirm.plugin.fish
Zsh
# Add shellfirm to conf.d fishshell folder
curl https://raw.githubusercontent.com/kaplanelad/shellfirm/main/shell-plugins/shellfirm.plugin.zsh -o ~/.shellfirm-plugin.sh
echo 'source ~/.shellfirm-plugin.sh' >> ~/.zshrc
Docker

ℹ️ Open a new shell session

👀 👀 Verify installation 👀 👀

You should get a shellfirm prompt challenge.

If you didn't get the prompt challenge:

  1. Make sure the shellfirm --version returns a valid response.
  2. Make sure that you downloaded the Zsh plugin and added it to the Oh My Zsh plugins in .zshrc.

Risky commands

We have predefined a baseline of risky groups command that will be enabled by default, these are risky commands that might be destructive.

Group Enabled By Default
base true
git true
fs true
fs-strict false
kubernetes false
kubernetes-strict false
heroku false
terraform false

Add/Remove new group checks

shellfirm config update-groups

Change challenge:

Currently we support 3 different challenges when a risky command is intercepted:

  • Math - Default challenge which requires you to solve a math question.
  • Enter - Required only to press Enter to continue.
  • Yes - Required typing yes to continue.

You can change the default challenge by running the command:

shellfirm config challenge

At any time you can cancel a risky command by hitting ^C

Ignore pattern:

You can disable one or more patterns in a selected group by running the command:

shellfirm config ignore

Deny pattern command:

Restrict user run command by select pattern id's that you not allow to run in the shell:

shellfirm config deny

To Upgrade shellfirm

brew upgrade shellfirm

Contributing

Thank you for your interest in contributing! Please refer to contribution guidelines for guidance.

Copyright

Copyright (c) 2022 @kaplanelad. See LICENSE for further details.