Redis
Protect live Redis sessions with shellfirm wrap for redis-cli
Wrapping redis-cli with shellfirm intercepts dangerous Redis commands like FLUSHALL and FLUSHDB before they wipe your data.
Usage
shellfirm wrap redis-cli -h prod.redis.com -p 6379This starts a normal redis-cli session with shellfirm checking every command.
Example session
redis-cli session (wrapped)
-- Safe commands work normally:
prod.redis.com:6379> GET user:1234
"John Doe"
prod.redis.com:6379> SET session:abc "data" EX 3600
OK
prod.redis.com:6379> KEYS user:*
1) "user:1234"
2) "user:5678"
-- Dangerous command is intercepted:
prod.redis.com:6379> FLUSHALL
============ RISKY COMMAND DETECTED ============
Severity: CRITICAL
Description: FLUSHALL removes all keys from all databases
Alternative: SCAN and DEL specific key patterns
(Selectively removes keys matching a pattern instead of wiping everything.)
? Type
yes to continue Esc to cancel ›-- FLUSHDB is also intercepted:
prod.redis.com:6379> FLUSHDB
============ RISKY COMMAND DETECTED ============
Severity: CRITICAL
Description: FLUSHDB removes all keys from the current database
Alternative: SELECT a different DB number before flushing
(Ensures you are operating on the correct database before clearing it.)
? Solve the challenge:: 3 + 7 = ? Esc to cancel ›
What gets intercepted
shellfirm checks these Redis-specific patterns (from the redis check group):
| Pattern | Severity | Description |
|---|---|---|
FLUSHALL | Critical | Removes all keys from all databases |
FLUSHDB | Critical | Removes all keys from the current database |
DEBUG | High | Debug commands can cause server issues |
SHUTDOWN | Critical | Shuts down the Redis server |
CONFIG SET | High | Modifies server configuration at runtime |
Configuration
Redis commands are line-oriented (no ; delimiter), so the wrapper uses newline as the delimiter:
# ~/.shellfirm/settings.yaml
wrappers:
tools:
redis-cli:
delimiter: "\n"
check_groups:
- redisConnection methods
All standard redis-cli connection methods work:
# Standard connection
shellfirm wrap redis-cli -h prod.redis.com -p 6379
# With authentication
shellfirm wrap redis-cli -h prod.redis.com -a your-password
# Using URL
shellfirm wrap redis-cli -u redis://user:password@prod.redis.com:6379
# TLS connection
shellfirm wrap redis-cli -h prod.redis.com --tls --cert /path/to/cert --key /path/to/key
# Specific database
shellfirm wrap redis-cli -h prod.redis.com -n 2Team policy example
For a team that wants to completely block flush operations on production:
# .shellfirm.yaml
version: 1
deny:
- "redis:flushall"
- "redis:flushdb"
overrides:
- id: "redis:config_set"
challenge: YesWith this policy, FLUSHALL and FLUSHDB are completely blocked inside wrapped redis-cli sessions -- no challenge offered.