Require confirmation for AI-driven interactive bash stdin and harden detection

[sonald]

Motivation

• Prevent AI-selected commands from silently receiving terminal input by ensuring PTY stdin handoff only occurs for real interactive commands and with explicit user confirmation.
• Harden the heuristic that previously matched sudo/su by substring so prompt-injection (e.g., echo sudo) cannot force the PTY handoff.

Description

• Replace the simple substring check with a shell-aware tokenizer and selector: implemented a robust _needs_interactive_bash using shlex to detect real command positions, wrappers, assignments and separators (file: src/aish/tools/code_exec.py).
• Require an explicit preflight confirmation for AI-generated commands that need interactive stdin by returning a ToolPreflightAction.CONFIRM from prepare_invocation (unless the exact command is already approved), and make need_confirm_before_exec return True for interactive commands (file: src/aish/tools/code_exec.py).
• Ensure interactive confirmation cannot be bypassed by fail_open sandbox decisions by checking interactive detection before honoring fail_open (file: src/aish/tools/code_exec.py).
• Add regression tests that cover correct detection (including wrapper forms like /usr/bin/sudo, VAR=1 sudo, command sudo ...), avoid false positives for benign substrings, and assert the preflight confirmation behavior and exact-approved command behavior (file: tests/tools/test_bash_output_offload.py).

Testing

• Ran unit tests: python -m pytest tests/tools/test_bash_output_offload.py -q and python -m pytest tests/tools/test_bash_output_offload.py tests/test_ask_user_tool.py -q, and all tests passed (13 passed for the focused suite and 31 passed for the combined run).
• Ran static checks: python -m ruff check src/aish/tools/code_exec.py tests/tools/test_bash_output_offload.py, which returned no issues.
• Ran quick sanity checks (compile/ruff/pytest) used in CI and they succeeded.

---

Codex Task

[coderabbitai]

Warning

Rate limit exceeded

@sonald has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 58 minutes and 30 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 3ca104ec-a5d0-4738-90e3-9db27d237502

📥 Commits

Reviewing files that changed from the base of the PR and between 7d627de and 81dec05.

📒 Files selected for processing (2)

• src/aish/tools/code_exec.py
• tests/tools/test_bash_output_offload.py

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/fix-stdin-security-vulnerability-in-pty-executor

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Thanks for the pull request. A maintainer will review it when available.

Please keep the PR focused, explain the why in the description, and make sure local checks pass before requesting review.

Contribution guide: https://github.com/AI-Shell-Team/aish/blob/main/CONTRIBUTING.md

[github-actions]

This pull request description looks incomplete. Please update the missing sections below before review.

Missing items:

• Summary
• User-visible Changes
• Compatibility
• Testing
• Change Type
• Scope