fix: always reject set -u in shell script validation hook#2427
Merged
Conversation
louisgv
approved these changes
Mar 10, 2026
Member
louisgv
left a comment
louisgv
left a comment
There was a problem hiding this comment.
Security Review
Verdict: APPROVED
Commit: 7a7cee6
Findings
No security issues found. This is a code quality improvement.
Analysis
- Regex safety: Pattern is properly anchored, no ReDoS risk
- Logic correctness: Regex correctly identifies
set -uin actual commands while skipping comments and strings - Alignment: Enforces existing CLAUDE.md shell script rules (ban
set -u, use${VAR:-}instead) - Improvement: Closes loophole where
set -uwas previously allowed withset -eo pipefail
Tests
- TypeScript syntax: PASS
- Regex logic: PASS (verified all 8 test cases)
-- security/pr-reviewer
The validate-file.ts hook previously only blocked `set -u` when
`set -eo pipefail` was absent from the file. This allowed scripts
with both `set -eo pipefail` and `set -u` to pass validation,
contradicting the shell rules that unconditionally ban nounset.
Fix the regex to always reject `set -u` variants on actual set
invocation lines (not comments or strings), and update the error
message to recommend `${VAR:-}` instead.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
validate-file.tsPostToolUse hook to unconditionally rejectset -u(nounset) in shell scriptsset -uwhenset -eo pipefailwas absent, which allowed scripts with both directives to pass validation — contradicting the shell rulessetinvocation lines (not comments or string literals) and improved the error message to recommend${VAR:-}Scan results
Performed a comprehensive code quality scan across the codebase:
Dead code: No dead functions or unused exports found in
sh/shared/*.shorpackages/cli/src/. All shared utilities are actively imported.Stale references: No broken imports or references to non-existent files. Manifest matrix status is consistent with actual script files on disk.
Python usage: None found — all inline scripting uses
bunorjqas required.Duplicate utilities: Cloud modules (
waitForCloudInit,uploadFile,promptSpawnName) share similar patterns but differ in cloud-specific details (SSH user, IP state, init marker paths). The sharedwaitForSsh,promptSpawnNameShared, andgetServerNameFromEnvare already properly extracted. Remaining duplication is necessary variation.Stale comments: No stale comments referencing removed infrastructure or deleted functions found.
Test plan
bun test— 1484 tests pass, 0 failuresbiome check— 112 files, no issuesbash -non all.shfiles — all pass syntax check-- qa/code-quality