fix(examples/hooks): bash_command_validator regex false negatives (#59441)#59508
Open
dhruba-datta wants to merge 1 commit into
Open
fix(examples/hooks): bash_command_validator regex false negatives (#59441)#59508dhruba-datta wants to merge 1 commit into
dhruba-datta wants to merge 1 commit into
Conversation
Fixes anthropics#59441. Two regex bugs in _VALIDATION_RULES caused silent false negatives: 1. grep: ^grep\b(?!.*\|) exempted leading grep in pipelines (e.g. "grep foo | wc -l") because the (?!.*\|) lookahead fails on any pipe anywhere in the string. The ^grep anchor already excludes downstream uses like "cat foo | grep bar", so the lookahead was dead code creating false negatives. Dropped it. 2. find: ^find\s+\S+\s+-name\b only matched "find PATH -name" shape. The most common real form — "find PATH -type f -name '*.log'" — was missed because the regex required -name to be adjacent to the path token. Changed to ^find\s+\S+.*\s-name\b to allow arbitrary predicates between the path and -name. Verified against the full case matrix from the issue plus regression guards (downstream grep, xargs find, findstr, find without -name).
This was referenced May 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #59441.
The
_VALIDATION_RULESinexamples/hooks/bash_command_validator_example.pyhad two regex bugs that caused silent false negatives on common command shapes:grep:
^grep\b(?!.*\|)exemptedgrepeven when it was the leading command of a pipeline (e.g.grep foo | wc -l), because the(?!.*\|)lookahead fails on any pipe anywhere in the string. The lookahead was apparently intended to exempt downstream uses likecat foo | grep bar, but the^grepanchor already handles that — the lookahead was dead code that turned into a false-negative source. Dropped it.find:
^find\s+\S+\s+-name\bonly matched thefind PATH -nameshape. The most common real-world form —find PATH -type f -name '*.log'— was missed because of the rigid\S+\s+-nameadjacency. Changed to^find\s+\S+.*\s-name\bto allow arbitrary predicates between the path and-name.Case matrix (matches the issue body)
grep foo | wc -lgrep foo bar.txt | head -5find / -type f -name '*.log'find . -type d -name node_modulesfind . -maxdepth 2 -name '*.md'Regression guards (still NOT flagged):
cat foo | grep barxargs find . -name foofind / -type f -newer foo.txt-name)findstr foo\bafterfind)Considered switching to
shlex-based parsing to also catch prefix forms (sudo grep,time grep) but that would expand the example's scope significantly; happy to do as a follow-up if the maintainers prefer that direction.