vrr/zed
2
0
Fork 0
mirror of https://github.com/zed-industries/zed.git synced 2026-05-23 21:05:08 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 9
zed/crates/shell_command_parser
History
Exact
Richard Feldman 3be7bdcbd9
Extract nested command substitutions from arithmetic expansions (#54690) 
Bash arithmetic expansion `$((...))` can contain command substitutions
like `$(curl evil.com)`. Previously, `extract_commands_from_word_piece`
treated `ArithmeticExpression` as a no-op, so nested commands inside
`$(( ... ))` were never extracted for allowlist checking.

This fix re-parses the `ArithmeticExpression` value string using
`brush_parser::word::parse` and recursively extracts any embedded
command substitutions, mirroring how `CommandSubstitution` and
`DoubleQuotedSequence` are already handled.

Closes SEC-267

Release Notes:

- Commands nested inside bash arithmetic expansions (e.g. `$(($(curl
example.com)))`) are now understood by the tool-calling permissions
regexes.
2026-05-05 16:25:56 +00:00
..
src Extract nested command substitutions from arithmetic expansions (#54690) 2026-05-05 16:25:56 +00:00
Cargo.toml
LICENSE-GPL