From 80374d4dd97368d00f55c551bdbfc0fab0f011a8 Mon Sep 17 00:00:00 2001
From: amathxbt <116212274+amathxbt@users.noreply.github.com>
Date: Tue, 12 May 2026 18:50:31 -0700
Subject: [PATCH] fix: approval DELETE pattern DOTALL flag allows newline
 bypass

---
 tools/approval.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/tools/approval.py b/tools/approval.py
index d6db5a05a0e..dbb3810886f 100644
--- a/tools/approval.py
+++ b/tools/approval.py
@@ -314,7 +314,9 @@ DANGEROUS_PATTERNS = [
     (r'\bdd\s+.*if=', "disk copy"),
     (r'>\s*/dev/sd', "write to block device"),
     (r'\bDROP\s+(TABLE|DATABASE)\b', "SQL DROP"),
-    (r'\bDELETE\s+FROM\b(?!.*\bWHERE\b)', "SQL DELETE without WHERE"),
+    # Use [^\n]* instead of .* so DOTALL mode does not cause a WHERE clause on the
+    # *next* line to satisfy the negative lookahead, silently allowing DELETE without WHERE.
+    (r'\bDELETE\s+FROM\b(?![^\n]*\bWHERE\b)', "SQL DELETE without WHERE"),
     (r'\bTRUNCATE\s+(TABLE)?\s*\w', "SQL TRUNCATE"),
     (r'>\s*/etc/', "overwrite system config"),
     (r'\bsystemctl\s+(-[^\s]+\s+)*(stop|restart|disable|mask)\b', "stop/restart system service"),