From c7779aad8a68c03e907bbd8ac7b190cff6dda946 Mon Sep 17 00:00:00 2001 From: haseeb-heaven <11544739+haseeb-heaven@users.noreply.github.com> Date: Fri, 3 Jul 2026 12:18:07 +0000 Subject: [PATCH] =?UTF-8?q?=E2=9A=A1=20Bolt:=20Pre-compile=20safety=20rege?= =?UTF-8?q?x=20patterns?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Pre-compiles list attributes like `_WRITE_PATTERNS` and `_SENSITIVE_POSIX_PREFIXES` inside `ExecutionSafetyManager` into tuples of `re.Pattern` objects. Refactors check methods to use `p.search(code)` instead of `re.search(p, code)`. This removes significant execution overhead previously caused by frequently calling `re.search` inside list comprehension blocks with `any()` loops. --- .jules/bolt.md | 3 +++ libs/safety_manager.py | 50 +++++++++++++++++++++++------------------- 2 files changed, 31 insertions(+), 22 deletions(-) create mode 100644 .jules/bolt.md diff --git a/.jules/bolt.md b/.jules/bolt.md new file mode 100644 index 0000000..a46a014 --- /dev/null +++ b/.jules/bolt.md @@ -0,0 +1,3 @@ +## 2025-02-24 - Pre-compile regex for performance +**Learning:** Re-compiling regexes in tight loops with `any()` is slow in Python. +**Action:** Use `tuple(re.compile(p) for p in _PATTERNS)` at the class level instead. diff --git a/libs/safety_manager.py b/libs/safety_manager.py index 1da4b28..6d56de2 100644 --- a/libs/safety_manager.py +++ b/libs/safety_manager.py @@ -180,6 +180,27 @@ class ExecutionSafetyManager: r"\bbash\b", ] + _COMPILED_WRITE_PATTERNS = tuple(re.compile(p, re.IGNORECASE) for p in _WRITE_PATTERNS) + _COMPILED_WRITE_ON_HANDLE_PATTERNS = tuple(re.compile(p, re.IGNORECASE) for p in _WRITE_ON_HANDLE_PATTERNS) + _COMPILED_SENSITIVE_POSIX_PREFIXES = tuple(re.compile(p, re.IGNORECASE) for p in _SENSITIVE_POSIX_PREFIXES) + _COMPILED_DESTRUCTIVE_PATTERNS = tuple(re.compile(p) for p in _DESTRUCTIVE_PATTERNS) + _COMPILED_SHELL_PATTERNS = tuple(re.compile(p) for p in _SHELL_PATTERNS) + _COMPILED_HOST_ABSOLUTE_POSIX_PREFIXES = tuple(re.compile(p, re.IGNORECASE) for p in [ + r"/etc/\w+", + r"/tmp/\w+", + r"/var/\w+", + r"/usr/\w+", + r"/root/\w+", + r"/home/\w+/", + r"/proc/\w+", + r"/sys/\w+", + r"/dev/\w+", + r"/boot/\w+", + r"/opt/\w+", + r"/mnt/\w+", + r"/media/\w+", + ]) + def __init__(self, unsafe_mode: bool = False): self.unsafe_mode = unsafe_mode @@ -228,7 +249,7 @@ def _has_write_operation(self, code: str) -> bool: """Return True if *code* contains any write operation that must be blocked in SAFE mode. """ - return any(re.search(p, code, re.IGNORECASE) for p in self._WRITE_PATTERNS) + return any(p.search(code) for p in self._COMPILED_WRITE_PATTERNS) # ========================= # WRITE-ON-HANDLE DETECTION @@ -240,7 +261,7 @@ def _has_write_on_handle(self, code: str) -> bool: """Return True if *code* calls .write() on any object (handle check). This is intentionally only evaluated when an absolute path is present. """ - return any(re.search(p, code, re.IGNORECASE) for p in self._WRITE_ON_HANDLE_PATTERNS) + return any(p.search(code) for p in self._COMPILED_WRITE_ON_HANDLE_PATTERNS) # ========================= # HOST ABSOLUTE PATH CHECK @@ -256,22 +277,7 @@ def _is_host_absolute_path(self, code: str) -> bool: return True # Unquoted well-known POSIX system directory prefixes - _posix_system_prefixes = [ - r"/etc/\w+", - r"/tmp/\w+", - r"/var/\w+", - r"/usr/\w+", - r"/root/\w+", - r"/home/\w+/", - r"/proc/\w+", - r"/sys/\w+", - r"/dev/\w+", - r"/boot/\w+", - r"/opt/\w+", - r"/mnt/\w+", - r"/media/\w+", - ] - if any(re.search(p, code, re.IGNORECASE) for p in _posix_system_prefixes): + if any(p.search(code) for p in self._COMPILED_HOST_ABSOLUTE_POSIX_PREFIXES): return True # open() call whose first positional argument is an absolute path string @@ -285,7 +291,7 @@ def _is_host_absolute_path(self, code: str) -> bool: def _is_sensitive_posix_path(self, code: str) -> bool: """Return True if *code* references a sensitive POSIX system path.""" - return any(re.search(p, code, re.IGNORECASE) for p in self._SENSITIVE_POSIX_PREFIXES) + return any(p.search(code) for p in self._COMPILED_SENSITIVE_POSIX_PREFIXES) # ========================= # MAIN CHECK @@ -326,7 +332,7 @@ def assess_execution(self, code: str, mode: str) -> Decision: # (shutdown, reboot, mkfs, dd, format, diskpart) in addition to # filesystem deletes. # ========================= - if any(re.search(p, code_lower) for p in self._DESTRUCTIVE_PATTERNS): + if any(p.search(code_lower) for p in self._COMPILED_DESTRUCTIVE_PATTERNS): return Decision(False, ["Destructive operation blocked."]) # ========================= @@ -334,7 +340,7 @@ def assess_execution(self, code: str, mode: str) -> Decision: # BUG FIX #2: Uses _SHELL_PATTERNS with \b word-boundary regex instead # of plain substring `in` check to avoid false positives. # ========================= - if any(re.search(p, code_lower) for p in self._SHELL_PATTERNS): + if any(p.search(code_lower) for p in self._COMPILED_SHELL_PATTERNS): return Decision(False, ["Shell execution is blocked."]) # ========================= @@ -370,7 +376,7 @@ def is_dangerous_operation(self, code: str) -> bool: if not code or not code.strip(): return False code_lower = code.lower() - return any(re.search(p, code_lower) for p in self._DESTRUCTIVE_PATTERNS) + return any(p.search(code_lower) for p in self._COMPILED_DESTRUCTIVE_PATTERNS) # ========================= # ARTIFACT EXPORT