* Parses command arguments using shell-quote, converting glob objects to strings. * This is necessary because shell-quote parses patterns like *.txt as glob objects, * but we need them as strings for path validation.
(cmd: string)
| 789 | * but we need them as strings for path validation. |
| 790 | */ |
| 791 | function parseCommandArguments(cmd: string): string[] { |
| 792 | const parseResult = tryParseShellCommand(cmd, env => `$${env}`) |
| 793 | if (!parseResult.success) { |
| 794 | // Malformed shell syntax, return empty array |
| 795 | return [] |
| 796 | } |
| 797 | const parsed = parseResult.tokens |
| 798 | const extractedArgs: string[] = [] |
| 799 | |
| 800 | for (const arg of parsed) { |
| 801 | if (typeof arg === 'string') { |
| 802 | // Include empty strings - they're valid arguments (e.g., grep "" /tmp/t) |
| 803 | extractedArgs.push(arg) |
| 804 | } else if ( |
| 805 | typeof arg === 'object' && |
| 806 | arg !== null && |
| 807 | 'op' in arg && |
| 808 | arg.op === 'glob' && |
| 809 | 'pattern' in arg |
| 810 | ) { |
| 811 | // shell-quote parses glob patterns as objects, but we need them as strings for validation |
| 812 | extractedArgs.push(String(arg.pattern)) |
| 813 | } |
| 814 | } |
| 815 | |
| 816 | return extractedArgs |
| 817 | } |
| 818 | |
| 819 | /** |
| 820 | * Validates a single command for path constraints and shell safety. |
no test coverage detected