feat(shell): enhance regex validators to match on entire string (#1603)

plugins/shell/src/config.rs

@@ -25,6 +25,9 @@ pub enum ShellAllowlistOpen {
 
     /// Enable the shell open API, with a custom regex that the opened path must match against.
     ///
+    /// The regex string is automatically surrounded by `^...$` to match the full string.
+    /// For example the `https?://\w+` regex would be registered as `^https?://\w+$`.
+    ///
     /// If using a custom regex to support a non-http(s) schema, care should be used to prevent values
     /// that allow flag-like strings to pass validation. e.g. `--enable-debugging`, `-i`, `/R`.
     Validate(String),

plugins/shell/src/lib.rs

@@ -148,8 +148,9 @@ fn open_scope(open: &config::ShellAllowlistOpen) -> scope::OpenScope {
             Some(Regex::new(r"^((mailto:\w+)|(tel:\w+)|(https?://\w+)).+").unwrap())
         }
         config::ShellAllowlistOpen::Validate(validator) => {
+            let regex = format!("^{validator}$");
             let validator =
-                Regex::new(validator).unwrap_or_else(|e| panic!("invalid regex {validator}: {e}"));
+                Regex::new(&regex).unwrap_or_else(|e| panic!("invalid regex {regex}: {e}"));
             Some(validator)
         }
     };

plugins/shell/src/scope.rs

@@ -88,9 +88,14 @@ impl ScopeObject for ScopeAllowedCommand {
                     crate::scope_entry::ShellAllowedArg::Fixed(fixed) => {
                         crate::scope::ScopeAllowedArg::Fixed(fixed)
                     }
-                    crate::scope_entry::ShellAllowedArg::Var { validator } => {
-                        let validator = Regex::new(&validator)
-                            .unwrap_or_else(|e| panic!("invalid regex {validator}: {e}"));
+                    crate::scope_entry::ShellAllowedArg::Var { validator, raw } => {
+                        let regex = if raw {
+                            validator
+                        } else {
+                            format!("^{validator}$")
+                        };
+                        let validator = Regex::new(&regex)
+                            .unwrap_or_else(|e| panic!("invalid regex {regex}: {e}"));
                         crate::scope::ScopeAllowedArg::Var { validator }
                     }
                 });

plugins/shell/src/scope_entry.rs

@@ -103,7 +103,18 @@ pub enum ShellAllowedArg {
         /// This will require the argument value passed to this variable to match the `validator` regex
         /// before it will be executed.
         ///
-        /// [regex]: https://docs.rs/regex/latest/regex/#syntax
+        /// The regex string is by default surrounded by `^...$` to match the full string.
+        /// For example the `https?://\w+` regex would be registered as `^https?://\w+$`.
+        ///
+        /// [regex]: <https://docs.rs/regex/latest/regex/#syntax>
         validator: String,
+
+        /// Marks the validator as a raw regex, meaning the plugin should not make any modification at runtime.
+        ///
+        /// This means the regex will not match on the entire string by default, which might
+        /// be exploited if your regex allow unexpected input to be considered valid.
+        /// When using this option, make sure your regex is correct.
+        #[serde(default)]
+        raw: bool,
     },
 }