Skip to content

fix(shell): replace polynomial-regex patterns flagged by CodeQL#147

Merged
mabry1985 merged 1 commit into
devfrom
fix/shell-regex-redos
Apr 26, 2026
Merged

fix(shell): replace polynomial-regex patterns flagged by CodeQL#147
mabry1985 merged 1 commit into
devfrom
fix/shell-regex-redos

Conversation

@mabry1985
Copy link
Copy Markdown

@mabry1985 mabry1985 commented Apr 26, 2026
edited by coderabbitai Bot
Loading

Unblocks the dev → main promotion in PR #141.

CodeQL flagged two js/polynomial-redos alerts on the background-shell wrapper code landed in #140:

  • shell.ts:292&+$ on a trimmed string
  • shell.ts:305\s*&\s*$ on a trimmed string

Practical risk is low (inputs are bounded, model-emitted shell commands), but the alerts are gating PR #141. Swap each regex for a plain string-op equivalent — same intent, no quantifier-on-quantifier shape for the analyzer to flag.

55/55 shell tests still pass.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Refactor
    • Optimized internal shell command string processing logic for improved maintainability.

@claude
fix(shell): replace polynomial-regex patterns with plain string ops
e8cd4e7 
CodeQL flagged two new alerts on the background-shell wrapper code
landed in #140:
  - js/polynomial-redos at shell.ts:292 ('&+$' on a trimmed string)
  - js/polynomial-redos at shell.ts:305 ('\\s*&\\s*$' on a trimmed string)

Both are low practical risk (the inputs are bounded model-emitted
shell commands) but the alert is blocking the dev → main promotion
in PR #141. Swap each for a plain string-op equivalent — same intent,
no quantifier-on-quantifier shape for the analyzer to flag.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@mabry1985 mabry1985 merged commit 6613a6e into dev Apr 26, 2026
1 of 2 checks passed
@mabry1985 mabry1985 deleted the fix/shell-regex-redos branch April 26, 2026 23:16
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 26, 2026
edited
Loading

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5ec0f5c3-f303-487b-92b6-6d6748984406

📥 Commits

Reviewing files that changed from the base of the PR and between e973040 and e8cd4e7.

📒 Files selected for processing (1)
  • packages/core/src/tools/shell.ts

Walkthrough

Modified trailing ampersand (&) normalization in shell command execution logic. Replaced regex-based removal with deterministic string operations for Windows background execution and non-Windows disk-captured background execution, without altering control flow or behavior.

Changes

Cohort / File(s) Summary
Shell tool string cleanup
packages/core/src/tools/shell.ts		 Updated trailing & character removal from regex patterns (/&+$/) to explicit string operations using endsWith(), slice(), and trimEnd() for improved determinism in Windows and non-Windows background execution paths.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/shell-regex-redos

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mabry1985