Commit 46cdb45
authored
fix(approval): contextual exemption for safe compound command patterns (#65)
* chore: add .worktrees to gitignore
* fix(approval): add < and > to compound operator detection
File redirection operators were missing from COMPOUND_OPERATORS_RE,
allowing patterns like '| jq . > /tmp/exfil' to bypass the compound
operator check. Single-quoted content is already stripped before
scanning, so expressions like --jq '.id < 5' are not affected.
* feat(approval): add extractCoreCommand to strip safe shell wrappers
Strips known-safe shell constructs (2>&1, trailing pipes to read-only
filters, leading cd prefix) from commands before compound operator
checking. Unrecognized constructs remain and trigger fail-closed
escalation to Haiku.
* feat(approval): integrate extractCoreCommand into contextual exemption
isContextualGhCommand now strips safe shell wrappers before checking
for compound operators. Commands like 'gh api ... 2>&1 | head -5'
are contextually exempted when targeting a related repo. Distinct
logging tag 'core-extracted' enables forensic differentiation.
* test(approval): add issue #58 reproduction case tests
Verifies that the exact commands from issue #58 are handled correctly:
2>&1 cases are contextually exempted, process substitution cases
still go to Haiku.
* fix(approval): reject file-path args in safe pipe filters
Safe pipe filters (head, tail, jq, etc.) can read files when given
filename arguments, bypassing the stdin-only assumption. Reject
filter args that look like file paths (starting with /, ~, or .)
to prevent this vector. Also clarifies doc comments and adds an
explanatory comment for the intentional extractCoreCommand
duplication in the logging block.
* fix(approval): tighten extractCoreCommand per PR review findings
- Remove `cat` from SAFE_PIPE_FILTERS to prevent relative filename bypass
- Update hasPathArg regex to catch double-quoted paths (e.g., "/etc/passwd")
- Replace greedy pipe regex with quote-aware scan to handle `|` inside
single-quoted jq expressions (e.g., jq '.items | .id')
- Add 5 new tests covering all edge cases from PR review
* docs: expand CLI best practices for gh body/payload handling
Clarify that all arbitrary text content must go through temp files,
not inline arguments. Add explicit patterns for gh high-level commands
(--body-file) and gh api calls (--input with JSON payload). Prohibit
-F body=@file which still triggers the classifier.
* fix(approval): close single-quoted path bypass in pipe filter args
Run hasPathArg on original filterArgs instead of single-quote-stripped
version so paths like '/etc/passwd' are still caught. Refine path
regex to require . be followed by / to distinguish ./config (path)
from .field (jq expression). Remove duplicate test.
* fix(approval): use --input instead of --body-file in gh api test case
gh api uses --input for request bodies, not --body-file. Aligns test
with actual gh api usage and CLAUDE.md CLI best practices.1 parent 489d9cd commit 46cdb45
4 files changed
Lines changed: 484 additions & 11 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
2 | 2 | | |
3 | 3 | | |
4 | 4 | | |
| 5 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
273 | 273 | | |
274 | 274 | | |
275 | 275 | | |
276 | | - | |
| 276 | + | |
277 | 277 | | |
278 | | - | |
| 278 | + | |
| 279 | + | |
| 280 | + | |
| 281 | + | |
| 282 | + | |
| 283 | + | |
| 284 | + | |
0 commit comments