@@ -18,8 +18,8 @@ private string dangerousCommands() {
1818 [
1919 "npm install" , "npm run " , "yarn " , "npm ci(\\b|$)" , "make " , "terraform plan" ,
2020 "terraform apply" , "gomplate " , "pre-commit run" , "pre-commit install" , "go generate" ,
21- "msbuild " , "mvn " , "./mvnw " , "gradle " , "./gradlew " , "bundle install " , "bundle exec " ,
22- "^ant " , "mkdocs build " , "pytest "
21+ "msbuild " , "mvn " , "gradle " , "bundle install " , "bundle exec " , "^ant " , "mkdocs build " ,
22+ "pytest" , "pip install -r " , "pip install --requirement " , "java -jar "
2323 ]
2424}
2525
@@ -31,21 +31,33 @@ class BuildRunStep extends PoisonableStep, Run {
3131 }
3232}
3333
34+ bindingset [ cmdRegexp]
35+ string wrapLocalCmd ( string cmdRegexp ) { result = "(^|;\\s*|\\s+)" + cmdRegexp + "(\\s+|;|$)" }
36+
3437class LocalCommandExecutionRunStep extends PoisonableStep , Run {
3538 string cmd ;
3639
3740 LocalCommandExecutionRunStep ( ) {
3841 // Heuristic:
39- // Run step with a command starting with `./xxxx`, `sh xxxx`, ...
4042 exists ( string line | line = this .getScript ( ) .splitAt ( "\n" ) .trim ( ) |
4143 // ./xxxx
42- cmd = line .regexpCapture ( "(^|\\s+)\\.\\/(.*)" , 2 )
44+ // TODO: It could also be in the form of `dir/cmd`
45+ cmd = line .regexpCapture ( wrapLocalCmd ( "\\.\\/(.*)" ) , 2 )
4346 or
4447 // sh xxxx
45- cmd = line .regexpCapture ( "(^|\\s+)(ba|z|fi)?sh\\s+(.*)" , 3 )
48+ cmd = line .regexpCapture ( wrapLocalCmd ( "(ba|z|fi)?sh\\s+(.*)" ) , 3 )
49+ or
50+ // node xxxx.js
51+ cmd = line .regexpCapture ( wrapLocalCmd ( "node\\s+(.*)(\\.js|\\.ts)" ) , 2 )
52+ or
53+ // python xxxx.py
54+ cmd = line .regexpCapture ( wrapLocalCmd ( "python\\s+(.*)\\.py" ) , 2 )
55+ or
56+ // ruby xxxx.rb
57+ cmd = line .regexpCapture ( wrapLocalCmd ( "ruby\\s+(.*)\\.rb" ) , 2 )
4658 or
47- // node xxxx
48- cmd = line .regexpCapture ( "(^|\\s+)(node|python|ruby|go) \\s+(.*)" , 3 )
59+ // go xxxx.go
60+ cmd = line .regexpCapture ( wrapLocalCmd ( "go \\s+(.*)\\.go" ) , 2 )
4961 )
5062 }
5163
0 commit comments