Expand description
Heuristic path-escape detection for bash commands. Bash path lint — detect commands that escape the project root.
Heuristic analysis that catches common accidental path escapes. Not designed for adversarial inputs — that’s a kernel sandbox concern.
§What it catches
- Absolute paths outside the project (e.g.,
cat /etc/passwd) - Relative escapes (e.g.,
cd ../../../) - Home directory access (e.g.,
rm ~/.bashrc)
§What it allows
- Temp directories (
/tmp,$TMPDIR) - Device files (
/dev/null,/dev/stdout) - Paths inside the project root
§What it intentionally ignores
- Dynamic targets (
cd $VAR,cd $(cmd)) — can’t statically resolve - Quoted strings (commit messages, echo) — stripped before analysis
See crate::bash_safety for the complementary command classification.
Structs§
- Bash
Path Lint - Result of linting a bash command for path escapes.
Functions§
- is_
safe_ external_ path - Whether
resolvedis a path that is safe to access outside the project root. - lint_
bash_ paths - Lint a bash command for paths that escape project_root.