Skip to content

Stop misclassifying innocuous shell redirections (1.4.0)#6

Merged
gmpassos merged 1 commit into
masterfrom
feature/innocuous-redirection-classification
Jun 30, 2026
Merged

Stop misclassifying innocuous shell redirections (1.4.0)#6
gmpassos merged 1 commit into
masterfrom
feature/innocuous-redirection-classification

Conversation

@gmpassos

Copy link
Copy Markdown
Contributor

Context

Agents routinely append innocuous redirections to commands, and the analyzer mishandled the whole family — 2>&1, 1>&2, 2>/dev/null, >/dev/null, &>/dev/null, >/dev/null 2>&1.

Two concrete defects:

  1. 2>&1 was mis-parsed. The bash tokenizer only knew 2>/2>>, so cmd 2>&1 produced a target-less 2> redirection, a spurious "Redirection without a target" diagnostic, and a phantom CommandInvocation with executable 1. 1>&2 and &>/dev/null broke the same way.
  2. False writeFilesystem. The phantom errorOutput node (and even well-formed >/dev/null) added a writeFilesystem capability → modifyFiles effect, pushing read-only commands toward REVIEW.

Changes

  • AST (command_node.dart): new RedirectionType.mergeStreams, combinedOutput, combinedAppendOutput.
  • All three parsers (shell_parser, windows_cmd_parser, powershell_parser): recognize fd-duplication (N>&M, >&-) and combined redirects (&>, &>>). Merges are self-contained — no consumed word, no phantom command, no diagnostic. Leading-digit fds only trigger when immediately followed by > (so 2foo stays a word).
  • Capability detector: fd-merges add nothing; null-sink targets (/dev/null, NUL, $null) no longer add writeFilesystem/readFilesystem. Genuine targets (> out.txt, &> out.log) still do.
  • BenignRedirectionDetector (new, in the default suite): records merges and null-sink discards as safe-level benign-redirection findings for audit visibility. Decision-neutral since safe < mediumRisk.
  • DangerousOperatorDetector: recognizes >& / &> as redirection sequences so fd-dups aren't mislabeled as output redirection.
  • Version bumped to 1.4.0 + CHANGELOG entry.

Verification

  • dart analyze clean; dart format applied; 428 tests pass (+24 new across parser, capability, security, and end-to-end suites).
  • End-to-end sanity check: ls -la 2>&1, grep x f >/dev/null, foo &>/dev/null, cmd >/dev/null 2>&1allow, no modifyFiles, benign marker present; rm -rf / >/dev/null 2>&1deny (command risk not masked); echo hi > out.txt → still modifyFiles.

Limits (documented in code)

  • Null sinks limited to /dev/null, NUL/NUL:, $null.
  • Only single-digit source fds are modeled (12>&3 is not treated as a merge).

🤖 Generated with Claude Code

…sifying innocuous redirections (1.4.0)

Innocuous shell redirections were misclassified. The bash tokenizer only
knew `2>`/`2>>`, so `cmd 2>&1` produced a target-less `2>` redirection, a
spurious "Redirection without a target" diagnostic, and a phantom command
named `1` — whose `errorOutput` node falsely added a writeFilesystem
capability. `1>&2` and `&>/dev/null` broke the same way, and even
well-formed `>/dev/null` reported a file write.

- AST: add RedirectionType.mergeStreams, combinedOutput, combinedAppendOutput.
- Parsers (bash/posix, windows cmd, powershell): recognize fd-duplication
  (N>&M, >&-) and combined redirects (&>, &>>). Merges are self-contained:
  no consumed word, no phantom command, no diagnostic.
- Capability detector: fd-merges add nothing; null-sink targets (/dev/null,
  NUL, $null) no longer add writeFilesystem/readFilesystem. Genuine targets
  (> out.txt, &> out.log) still do.
- New BenignRedirectionDetector (default suite): records merges and null-sink
  discards as safe-level audit findings; decision-neutral.
- DangerousOperatorDetector: recognize >& / &> as redirection sequences.
- Bump to 1.4.0 + CHANGELOG; +24 tests across all parsers.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@codecov

codecov Bot commented Jun 30, 2026

Copy link
Copy Markdown

@gmpassos gmpassos merged commit 1a5be92 into master Jun 30, 2026
2 of 3 checks passed
@gmpassos gmpassos deleted the feature/innocuous-redirection-classification branch June 30, 2026 00:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant