data/tools/bash_security library
Classes
- BashSecurityCheckId
- Numeric identifiers for bash security checks (avoids logging strings).
- QuoteExtraction
- Result of extracting quoted content from a command.
- SecurityResult
- Result of a security validation check.
- ValidationContext
- Context passed to each security validator.
Functions
-
bashCommandIsSafe(
String command) → SecurityResult - Run all security checks on a command. Returns the first non-passthrough result, or passthrough if all pass.
-
bashCommandIsSafe_DEPRECATED(
String command) → SecurityResult - Deprecated version of bashCommandIsSafe for heredoc recursive calls.
-
buildValidationContext(
String command) → ValidationContext - Build a ValidationContext from a command string.
-
extractBaseCommand(
String command) → String - Extract the base command (first word) from a shell command string, stripping variable assignments and common wrappers.
-
extractQuotedContent(
String command, {bool isJq = false}) → QuoteExtraction - Extract quoted content from a command string. Returns strings with different levels of quote stripping.
-
hasSafeHeredocSubstitution(
String command) → bool - Check if a command contains a safe heredoc-in-substitution pattern.
-
hasUnescapedChar(
String content, String char) → bool - Check if content contains an unescaped occurrence of a single character. Handles bash escape sequences correctly.
-
stripSafeHeredocSubstitutions(
String command) → String? - Strip safe $(cat <<'DELIM'...DELIM) heredoc substitutions from a command. Returns the command with heredocs stripped, or null if none found.
-
stripSafeRedirections(
String content) → String - Strip safe redirections from content (>/dev/null, 2>&1, </dev/null).