Skip to main content

Module normalize

destructive_command_guard

Module normalize 

Source
Expand description

Command normalization for wrapper prefix stripping.

This module strips common wrapper prefixes (sudo, env, backslash escapes, command) so destructive patterns match consistently regardless of how commands are invoked.

§Design Principles

  • Conservative: Only strip wrappers when syntax is unambiguous.
  • Non-destructive: Never change the meaning of non-wrapper commands.
  • Preserve original: Return both original and normalized forms for explain output.

§Supported Wrappers

  • sudo [-EHnkKSb] [-u user] [-g group] ... - privilege escalation
  • env [-i] [-u name] [NAME=VALUE]... command - environment modification
  • \git, \rm - bash alias bypass (leading backslash)
  • command [-p] [--] cmd - but NOT command -v or command -V (query mode)

Structs§

NormalizeToken
NormalizedCommand
Result of command normalization.
StrippedWrapper
A wrapper that was stripped from the command.

Enums§

NormalizeTokenKind
NormalizeWrapper

Statics§

PATH_NORMALIZER
Regex to strip absolute paths from git/rm binaries.
QUOTED_PATH_NORMALIZER
Regex for normalizing quoted paths that may contain spaces.

Functions§

consume_separator_token
consume_word_token
dequote_segment_command_words
Normalize wrapper/segment command words for matching.
is_env_assignment
normalize_command
Normalize a command by stripping absolute paths from common binaries.
normalize_command_word_token
skip_ascii_whitespace
strip_wrapper_prefixes
Normalize a command by stripping common wrapper prefixes.
tokenize_for_normalization

Type Aliases§

NormalizeTokens