fix(interactive-bash-blocker): prevent false positives on partial word matches (CRITICAL) #55
+11
−11
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…d matches Changed STDIN_REQUIRING_COMMANDS from string .includes() to regex patterns with word boundaries for accurate command detection.
junhoyeo
changed the title
junhoyeo
changed the title
Owner
Analysis: A More Robust ApproachThanks for identifying this false positive issue! After deep analysis, I'd like to propose a fundamentally different approach. The Problem with Regex-based DetectionPerfect static detection of interactive commands is theoretically impossible (similar to the Halting Problem):
Proposed Solution: Environment Configuration Instead of BlockingRather than blocking commands, we should configure the environment as non-interactive: // Instead of pattern matching and throwing errors...
const NON_INTERACTIVE_ENV = {
CI: 'true',
DEBIAN_FRONTEND: 'noninteractive',
GIT_TERMINAL_PROMPT: '0',
SSH_ASKPASS: '/bin/false',
}
// Wrap command with environment + stdin redirect
output.args.command = `${envPrefix} ${command} < /dev/null`Why This Is Better
Example Behavior# Before (regex blocking)
$ su root
> "Blocked: Command requires stdin interaction"
# After (environment config)
$ CI=true su root < /dev/null
> "su: must be run from a terminal" (natural failure)I'll implement this approach instead. Thanks for bringing attention to the false positive issue! |
Owner
|
Closing in favor of environment configuration approach. Will implement a better solution that doesn't rely on regex pattern matching. |
code-yeongyu
added a commit
that referenced
this pull request
Dec 14, 2025
…onment configuration Instead of blocking commands via regex pattern matching (which caused false positives like 'startup', 'support'), now wraps all bash commands with: - CI=true - DEBIAN_FRONTEND=noninteractive - GIT_TERMINAL_PROMPT=0 - stdin redirected to /dev/null TUI programs (text editors, system monitors, etc.) are still blocked as they require full PTY. Other interactive commands now fail naturally when stdin is unavailable. Closes #55 via alternative approach.
Contributor
Author
👍👍👍 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem
The
interactive-bash-blockerhook was producing false positives by blocking commands containing common words like:This happened because
STDIN_REQUIRING_COMMANDSused.includes("su")which matched any string containing "su" as a substring.Example of False Positive
Root Cause
Solution
Changed from string array with
.includes()to regex patterns with word boundaries (\b):Pattern Details
\bsu\b(?!\s*[&|;]|\s+-c)su,su -,su rootsupport,startup,su -c "cmd"\bssh-keygen\b(?!\s+.*-[fNPqy])ssh-keygenssh-keygen -f key -N ""Testing
Files Changed
constants.tsSTDIN_REQUIRING_COMMANDS→STDIN_REQUIRING_PATTERNSwith regexindex.ts.test()instead of.includes()