@aliou/pi-guardrails 0.7.2 → 0.7.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/hooks/permission-gate.ts +7 -2
- package/package.json +1 -1
package/hooks/permission-gate.ts
CHANGED
|
@@ -120,7 +120,11 @@ function findDangerousMatch(
|
|
|
120
120
|
}
|
|
121
121
|
return false;
|
|
122
122
|
});
|
|
123
|
-
|
|
123
|
+
// Structural matching succeeded -- return result (even if no match).
|
|
124
|
+
// Do NOT fall through to compiled patterns which do raw substring
|
|
125
|
+
// matching and would false-positive on e.g. "sudo" inside a quoted
|
|
126
|
+
// commit message argument.
|
|
127
|
+
return match;
|
|
124
128
|
} catch {
|
|
125
129
|
// Parse failed -- fall back to substring matching on raw string
|
|
126
130
|
for (const p of fallbackPatterns) {
|
|
@@ -132,7 +136,8 @@ function findDangerousMatch(
|
|
|
132
136
|
}
|
|
133
137
|
|
|
134
138
|
// Check compiled patterns (substring/regex on raw string).
|
|
135
|
-
//
|
|
139
|
+
// Only reached when customPatterns replaces defaults (useBuiltinMatchers
|
|
140
|
+
// is false) or when the structural parse failed and no fallback matched.
|
|
136
141
|
for (const cp of compiledPatterns) {
|
|
137
142
|
if (cp.test(command)) {
|
|
138
143
|
const src = cp.source as DangerousPattern;
|