detectDangerousPatterns function

List<String> detectDangerousPatterns(String command)

Detect dangerous patterns in a command and return descriptions of each.

Implementation

List<String> detectDangerousPatterns(String command) {
  final patterns = <String>[];

  // Fork bomb: :(){ :|:& };:
  if (RegExp(r':\(\)\s*\{.*:\|:.*\}').hasMatch(command) ||
      command.contains(':(){ :|:& };:')) {
    patterns.add('Fork bomb detected');
  }

  // Infinite loops writing to disk.
  if (RegExp(r'while\s+(true|1|:)').hasMatch(command) &&
      command.contains('>')) {
    patterns.add('Potential infinite loop with disk write');
  }

  // /dev/sda or raw disk access.
  if (RegExp(r'/dev/[sh]d[a-z]').hasMatch(command)) {
    patterns.add('Raw disk device access');
  }

  // dd with of=/dev.
  if (command.contains('dd ') && RegExp(r'of=/dev/').hasMatch(command)) {
    patterns.add('Direct device write with dd');
  }

  // rm -rf / or rm -rf ~.
  if (RegExp(
    r'rm\s+(-[a-zA-Z]*r[a-zA-Z]*f|(-[a-zA-Z]*f[a-zA-Z]*r))\s+[/~]',
  ).hasMatch(command)) {
    patterns.add('Recursive force removal of root or home');
  }

  // chmod 777 on sensitive paths.
  if (RegExp(r'chmod\s+777\s+/').hasMatch(command)) {
    patterns.add('World-writable permissions on system path');
  }

  // curl | bash or wget | bash.
  if (RegExp(r'(curl|wget)\s.*\|\s*(ba)?sh').hasMatch(command)) {
    patterns.add('Piping remote script to shell');
  }

  // eval with user input or variable expansion.
  if (RegExp(r'eval\s+.*\$').hasMatch(command)) {
    patterns.add('eval with variable expansion');
  }

  // mkfs — formatting a filesystem.
  if (command.contains('mkfs')) {
    patterns.add('Filesystem format command');
  }

  // Overwriting /etc/passwd, /etc/shadow.
  if (RegExp(r'>\s*/etc/(passwd|shadow|sudoers)').hasMatch(command)) {
    patterns.add('Overwriting critical system file');
  }

  // Disabling firewall.
  if (RegExp(
    r'(ufw\s+disable|iptables\s+-F|firewall-cmd\s+--panic-off)',
  ).hasMatch(command)) {
    patterns.add('Firewall disable command');
  }

  // history -c or removing bash_history.
  if (command.contains('history -c') ||
      command.contains('.bash_history') ||
      command.contains('.zsh_history')) {
    patterns.add('Shell history manipulation');
  }

  // Reverse shell patterns.
  if (RegExp(r'bash\s+-i\s+>&?\s*/dev/tcp/').hasMatch(command) ||
      RegExp(r'nc\s.*-[el].*\d+').hasMatch(command) ||
      command.contains('/dev/tcp/')) {
    patterns.add('Potential reverse shell');
  }

  // Base64 decode and execute.
  if (RegExp(r'base64\s+-d.*\|\s*(ba)?sh').hasMatch(command) ||
      RegExp(r'echo\s.*\|\s*base64\s+-d\s*\|\s*(ba)?sh').hasMatch(command)) {
    patterns.add('Base64 decode piped to shell');
  }

  // Crontab manipulation.
  if (RegExp(r'crontab\s+-r').hasMatch(command)) {
    patterns.add('Crontab removal');
  }

  // Disk fill: yes > file, /dev/zero > file.
  if (RegExp(r'(yes|/dev/zero)\s*>\s*').hasMatch(command)) {
    patterns.add('Potential disk fill');
  }

  return patterns;
}