From c48071347cf088749d8b3026c75ca03c25e3d1c0 Mon Sep 17 00:00:00 2001 From: Pyry Takala Date: Thu, 20 Nov 2025 23:48:32 +0000 Subject: [PATCH] fix(core): correct bash @P prompt transformation detection Fix hasPromptCommandTransform to check operatorNode.text instead of operatorNode.type when detecting the @ operator in bash parameter expansions. The type property contains the grammar rule name (e.g., 'operator'), not the literal character '@', so the check was never matching. This bug allowed dangerous bash prompt transformation commands like `echo ${var@P}` to bypass security validation, potentially enabling command injection attacks. Fixes the security vulnerability where @P prompt transformations were not being detected and blocked as intended. --- packages/core/src/utils/shell-utils.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/core/src/utils/shell-utils.ts b/packages/core/src/utils/shell-utils.ts index 2528c9ebc4c..d26122b7059 100644 --- a/packages/core/src/utils/shell-utils.ts +++ b/packages/core/src/utils/shell-utils.ts @@ -271,7 +271,7 @@ function hasPromptCommandTransform(root: Node): boolean { const transformNode = current.child(i + 1); if ( - operatorNode?.type === '@' && + operatorNode?.text === '@' && transformNode?.text?.toLowerCase() === 'p' ) { return true;