pub fn extract_shell_commands(content: &str) -> Vec<ExtractedShellCommand>Expand description
Extract executable shell commands from heredoc/script content.
This function parses shell content using tree-sitter-bash (via ast-grep) and extracts individual commands that should be evaluated against the main evaluator pipeline. This keeps all destructive knowledge in packs rather than duplicating rules for heredoc content.
§What gets extracted
- Simple commands:
rm -rf /path,git reset --hard - Pipe sources and targets: commands on either side of
| - Commands inside command substitutions: contents of
$(...) - Commands inside subshells: contents of
(...)
§What does NOT get extracted (false positive avoidance)
- Comments:
# rm -rf / dangerousis NOT executed - String literals in echo/printf: content inside quotes is data, not execution
- Heredoc delimiters themselves
§Performance
Uses ast-grep for parsing which is very fast (<2ms for typical heredocs). No timeout is enforced here as the AST matcher already has its own timeout.
§Examples
ⓘ
use destructive_command_guard::heredoc::extract_shell_commands;
// Simple command
let commands = extract_shell_commands("rm -rf /tmp/test");
assert_eq!(commands.len(), 1);
assert_eq!(commands[0].text, "rm -rf /tmp/test");
// Pipeline - both sides extracted
let commands = extract_shell_commands("find . | xargs rm");
assert_eq!(commands.len(), 2);
// Comment - not extracted
let commands = extract_shell_commands("# rm -rf / dangerous");
assert_eq!(commands.len(), 0);