@@ -89,20 +89,10 @@ impl ExecuteCommand {
8989 if !current_cmd. is_empty ( ) {
9090 all_commands. push ( current_cmd) ;
9191 }
92- let allowed_commands = allowed_commands. unwrap_or ( & default_arr) ;
93-
94- let has_regex_match = allowed_commands
95- . iter ( )
96- . map ( |cmd| Regex :: new ( & format ! ( r"\A{}\z" , cmd) ) )
97- . filter ( Result :: is_ok)
98- . flatten ( )
99- . any ( |regex| regex. is_match ( & self . command ) ) ;
100- if has_regex_match {
101- return false ;
102- }
92+
10393
10494 // Check if each command in the pipe chain starts with a safe command
105- for cmd_args in all_commands {
95+ for cmd_args in & all_commands {
10696 match cmd_args. first ( ) {
10797 // Special casing for `find` so that we support most cases while safeguarding
10898 // against unwanted mutations
@@ -129,12 +119,29 @@ impl ExecuteCommand {
129119 {
130120 return true ;
131121 }
132- let is_cmd_read_only = READONLY_COMMANDS . contains ( & cmd. as_str ( ) ) ;
133- if !allow_read_only || !is_cmd_read_only {
134- return true ;
135- }
136122 } ,
137- None => return true ,
123+ None => { } ,
124+ }
125+ }
126+
127+ let allowed_commands = allowed_commands. unwrap_or ( & default_arr) ;
128+
129+ let has_regex_match = allowed_commands
130+ . iter ( )
131+ . map ( |cmd| Regex :: new ( & format ! ( r"\A{}\z" , cmd) ) )
132+ . filter ( Result :: is_ok)
133+ . flatten ( )
134+ . any ( |regex| regex. is_match ( & self . command ) ) ;
135+ if has_regex_match {
136+ return false ;
137+ }
138+
139+ for cmd_args in all_commands {
140+ if let Some ( cmd) = cmd_args. first ( ) {
141+ let is_cmd_read_only = READONLY_COMMANDS . contains ( & cmd. as_str ( ) ) ;
142+ if !allow_read_only || !is_cmd_read_only {
143+ return true ;
144+ }
138145 }
139146 }
140147
0 commit comments