RI-8187 Workbench dangerous-command gating via type-to-confirm#5964
Merged
KrumTy merged 5 commits intoMay 22, 2026
Conversation
🛡️ Jit Security Scan Results✅ No security findings were detected in this PR
Security scan by Jit
|
Wires the Workbench multi-command runner through `TypeToConfirmModal` when the connected database is classified as `Environment.Production` (via `useDatabaseEnvironment`). If any command in the submitted batch is dangerous, the batch is held and the modal opens; the user types the database name (or `host:port`) to confirm. Cancel aborts the batch; confirm dispatches the original `sendWbQueryAction` unchanged. Non-production environments pass through with no behavior change because `isDangerousCommand` short-circuits to `false`. The dangerous commands found in the batch are listed (comma-joined) in the modal body so users see exactly what they're authorizing. No FE telemetry — BE `WORKBENCH_COMMAND_EXECUTED` event enriched by RI-8196 (PR #5930) carries the `environment` and `dangerous` flags. References: #RI-8187
Hoists the name-or-host:port expression so the modal's confirmationText and actionDescription reference a single source. Mirrors the pattern in PR #5962 (CliBodyWrapper). References: #RI-8187
2bcd631 to
f2eb3ad
Compare
Contributor
Code Coverage - Frontend unit tests
Test suite run success6976 tests passing in 802 suites. Report generated by 🧪jest coverage report action from 72757c0 |
sourceValueSubmit was checking dangerousness against effectiveValue (value || script) but passing the raw value to runSubmission on the safe path. If value was an empty string while script held content, the gate would correctly run on script but the safe path would silently drop the commands via handleSubmit's !commandInit?.length guard. Now both branches use effectiveValue. References: #RI-8187
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit ad44c72. Configure here.
cmd.split(' ')[0] only handles single-space separation. getMonacoLines
splits on \n(?=[^\s]), so multi-line continuation commands like
'FLUSHALL\n ASYNC' arrive as a single entry with embedded newlines.
Splitting on ' ' yielded 'FLUSHALL\n' (with trailing newline), which
failed the isDangerousCommand set lookup and bypassed the gate.
Using /\s+/ extracts the bare verb.
References: #RI-8187
valkirilov
reviewed
May 22, 2026
Replaces ;(X as jest.Mock).foo() lines with named mock-handle consts (sendWbQueryActionMock, useDatabaseEnvironmentMock, connectedInstanceSelectorMock) so call sites no longer need the leading-semicolon dance to avoid ASI ambiguity. References: #RI-8187
valkirilov
approved these changes
May 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.

What
Gates dangerous Redis commands (
ACL CAT dangerous) in the Workbench multi-command runner behind aTypeToConfirmModalon production-environment connections. The dangerous-commands list is already populated on connect by #5962 (RI-8186) — this PR just consumes it viauseDatabaseEnvironment().isDangerousCommand.When any command in the submitted batch is dangerous,
WBViewWrapper.sourceValueSubmitholds the batch and opens the modal. The user types the database name (orhost:portfallback) to confirm; cancel aborts the batch; confirm dispatches the originalsendWbQueryActionunchanged. Non-production passes through with zero behavior change because the hook short-circuits tofalse.The modal body lists the dangerous commands found in the batch (comma-joined) so users see exactly what they're authorizing, e.g.:
Design notes
WBViewWrapper, matching the sibling pattern in #5962 (CLI gating inCliBodyWrapper) and #5963 (bulk delete gating inBulkDeleteFooter). Each surface has different post-confirm wiring, so a shared component would add indirection without payoff.WORKBENCH_COMMAND_EXECUTEDevent enriched by RI-8196 (#5930, merged) carriesenvironment+dangerousflags.Dependencies / siblings
Testing
node node_modules/.bin/jest redisinsight/ui/src/pages/workbench/components/wb-view/WBViewWrapper.spec.tsx -c jest.config.cjs— 11/11 pass (4 new gating tests + the host:port fallback case + existing).yarn lint:ui— clean.Manual smoke (
yarn dev:desktop)devProdModeflag on). Open Workbench:PING→ runs immediately, no modal.FLUSHALL→ modal opens, names the command and the DB; cancel → not dispatched; confirm with DB name → runs.PING\nFLUSHDB\nSET x 1→ one modal listingFLUSHDB; cancel → no commands run; confirm → whole batch dispatched.FLUSHALL ASYNC→ still gated (verb extracted before dangerous-command check).devProdModeflag off → dangerous commands run without modal regardless of environment.Closes #RI-8187
Note
Medium Risk
Changes Workbench query submission flow to defer execution behind a confirmation modal when potentially destructive commands are detected, which could block or alter multi-command execution behavior if parsing/gating is incorrect.
Overview
Adds dangerous-command gating to the Workbench multi-command runner:
WBViewWrappernow parses the submitted batch (getCommandsForExecution) and, if any command verb is flagged byuseDatabaseEnvironment().isDangerousCommand, defers dispatch and shows aTypeToConfirmModalrequiring the user to type the DB name (orhost:port) to proceed.On confirm, the original batch is dispatched unchanged; on cancel, nothing is sent. Updates
WBViewWrapper.spec.tsxwith new tests covering non-dangerous pass-through, modal gating for multi-command and Monaco continuation cases, confirm/cancel behavior, and thehost:portfallback.Reviewed by Cursor Bugbot for commit 72757c0. Bugbot is set up for automated code reviews on this repo. Configure here.