Commit graph

1 commit

Author SHA1 Message Date
xy200303
1ebc56ca39 fix(approval): detect shell-expanded command names (#36846)
Command-name obfuscation bypassed the dangerous-command denylist: the
executable name could be spelled with shell tricks that survive regex
matching but still resolve to a blocked command at runtime —
$(echo rm), ${0/x/r}m, backticks, and printf substitutions.

Adds a non-executing shell-word scanner that deobfuscates only at
command positions (start, after ;|&&||, inside $(...), after
sudo/env/exec/... wrappers) and feeds the resulting variants through
the existing HARDLINE_PATTERNS / DANGEROUS_PATTERNS — no second
blocklist. Scoping to command words keeps ordinary arguments
(echo $(echo rm) -rf /) from being promoted into command names.

Co-authored-by: egilewski <1078345+egilewski@users.noreply.github.com>
2026-07-01 01:39:10 -07:00