sanitize_fixtures: dedupe file grep keys and harden token validation

cursoragent · Ben Schellenberger · cursoragent · commit 47551d10f81d · 2026-04-16T07:16:50.000Z
Stop prepending the commit hash to git grep lines, which already use
commit:path:line:content. Reject blocked strings that start with a hyphen
so they cannot be misparsed as git grep flags, and pass patterns with -e
for correct argument handling.

Co-authored-by: Ben Schellenberger &lt;TBRX103@users.noreply.github.com&gt;
diff --git a/sanitize_fixtures.go b/sanitize_fixtures.go
@@ -263,6 +263,9 @@ func validateBlockedRefPathToken(token string) error {
 	if !blockedRefPathTokenPattern.MatchString(token) {
 		return fmt.Errorf("must contain only letters, numbers, dot, underscore, or dash")
 	}
+	if strings.HasPrefix(token, "-") {
+		return fmt.Errorf("cannot start with hyphen")
+	}
 	if strings.HasPrefix(token, ".") || strings.HasSuffix(token, ".") {
 		return fmt.Errorf("cannot start or end with dot")
 	}
@@ -302,14 +305,14 @@ func collectBlockedFileContentMatches(repoPath string, commits []string, blocked
 			return nil, err
 		}
 		for _, line := range lines {
-			matchSet[commit+":"+line] = struct{}{}
+			matchSet[line] = struct{}{}
 		}
 	}
 	return sortedKeys(matchSet), nil
 }
 
 func runGitGrepForCommit(repoPath, commit, blocked string) ([]string, error) {
-	cmd := exec.Command("git", "grep", "-n", "-I", "-F", blocked, commit, "--")
+	cmd := exec.Command("git", "grep", "-n", "-I", "-F", "-e", blocked, commit, "--")
 	cmd.Dir = repoPath
 
 	var stderr bytes.Buffer
@@ -322,7 +325,7 @@ func runGitGrepForCommit(repoPath, commit, blocked string) ([]string, error) {
 		}
 		return nil, fmt.Errorf(
 			"git command failed: git %v\nStdout: %s\nStderr: %s\nError: %w",
-			[]string{"grep", "-n", "-I", "-F", blocked, commit, "--"},
+			[]string{"grep", "-n", "-I", "-F", "-e", blocked, commit, "--"},
 			strings.TrimSpace(string(output)),
 			strings.TrimSpace(stderr.String()),
 			err,

Original file line number	Diff line number	Diff line change
`@@ -263,6 +263,9 @@ func validateBlockedRefPathToken(token string) error {`
`263`	`263`	`if !blockedRefPathTokenPattern.MatchString(token) {`
`264`	`264`	`return fmt.Errorf("must contain only letters, numbers, dot, underscore, or dash")`
`265`	`265`	`}`
	`266`	`+ if strings.HasPrefix(token, "-") {`
	`267`	`+ return fmt.Errorf("cannot start with hyphen")`
	`268`	`+ }`
`266`	`269`	`if strings.HasPrefix(token, ".") \|\| strings.HasSuffix(token, ".") {`
`267`	`270`	`return fmt.Errorf("cannot start or end with dot")`
`268`	`271`	`}`
`@@ -302,14 +305,14 @@ func collectBlockedFileContentMatches(repoPath string, commits []string, blocked`
`302`	`305`	`return nil, err`
`303`	`306`	`}`
`304`	`307`	`for _, line := range lines {`
`305`		`- matchSet[commit+":"+line] = struct{}{}`
	`308`	`+ matchSet[line] = struct{}{}`
`306`	`309`	`}`
`307`	`310`	`}`
`308`	`311`	`return sortedKeys(matchSet), nil`
`309`	`312`	`}`
`310`	`313`
`311`	`314`	`func runGitGrepForCommit(repoPath, commit, blocked string) ([]string, error) {`
`312`		`- cmd := exec.Command("git", "grep", "-n", "-I", "-F", blocked, commit, "--")`
	`315`	`+ cmd := exec.Command("git", "grep", "-n", "-I", "-F", "-e", blocked, commit, "--")`
`313`	`316`	`cmd.Dir = repoPath`
`314`	`317`
`315`	`318`	`var stderr bytes.Buffer`
`@@ -322,7 +325,7 @@ func runGitGrepForCommit(repoPath, commit, blocked string) ([]string, error) {`
`322`	`325`	`}`
`323`	`326`	`return nil, fmt.Errorf(`
`324`	`327`	`"git command failed: git %v\nStdout: %s\nStderr: %s\nError: %w",`
`325`		`- []string{"grep", "-n", "-I", "-F", blocked, commit, "--"},`
	`328`	`+ []string{"grep", "-n", "-I", "-F", "-e", blocked, commit, "--"},`
`326`	`329`	`strings.TrimSpace(string(output)),`
`327`	`330`	`strings.TrimSpace(stderr.String()),`
`328`	`331`	`err,`