MCPcopy Index your code
hub / github.com/codeaashu/claude-code / maskBracesInQuotedContexts

Function maskBracesInQuotedContexts

src/utils/bash/ast.ts:331–371  ·  view source on GitHub ↗

* Mask `{` characters that appear inside single- or double-quoted contexts. * Uses a single-pass bash-aware quote-state scanner instead of a regex. * * A naive regex (`/'[^']*'/g`) mis-detects spans when a `'` appears inside * a double-quoted string: for `echo "it's" {a'}',b}`, it matches from t

(cmd: string)

Source from the content-addressed store, hash-verified

329 * either is safe. Secondary defense: BRACE_EXPANSION_RE in walkArgument.
330 */
331function maskBracesInQuotedContexts(cmd: string): string {
332 // Fast path: no `{` → nothing to mask. Skips the char-by-char scan for
333 // the >90% of commands with no braces (`ls -la`, `git status`, etc).
334 if (!cmd.includes('{')) return cmd
335 const out: string[] = []
336 let inSingle = false
337 let inDouble = false
338 let i = 0
339 while (i < cmd.length) {
340 const c = cmd[i]!
341 if (inSingle) {
342 // Bash single quotes: no escapes, `'` always terminates.
343 if (c === "'") inSingle = false
344 out.push(c === '{' ? ' ' : c)
345 i++
346 } else if (inDouble) {
347 // Bash double quotes: `\` escapes `"` and `\` (also `$`, backtick,
348 // newline — but those don't affect quote state so we let them pass).
349 if (c === '\\' && (cmd[i + 1] === '"' || cmd[i + 1] === '\\')) {
350 out.push(c, cmd[i + 1]!)
351 i += 2
352 } else {
353 if (c === '"') inDouble = false
354 out.push(c === '{' ? ' ' : c)
355 i++
356 }
357 } else {
358 // Unquoted: `\` escapes any next char.
359 if (c === '\\' && i + 1 < cmd.length) {
360 out.push(c, cmd[i + 1]!)
361 i += 2
362 } else {
363 if (c === "'") inSingle = true
364 else if (c === '"') inDouble = true
365 out.push(c)
366 i++
367 }
368 }
369 }
370 return out.join('')
371}
372
373const DOLLAR = String.fromCharCode(0x24)
374

Callers 1

parseForSecurityFromAstFunction · 0.85

Calls 1

pushMethod · 0.45

Tested by

no test coverage detected