Skip to main content

is_safe_command

opendev_runtime::constants

Function is_safe_command 

Source 
pub fn is_safe_command(command: &str) -> bool
Expand description

Check if a command is considered safe for auto-approval.

Performs shell-aware parsing:

  1. Rejects commands containing dangerous shell constructs ($(...), backticks)
  2. Splits on shell operators (&&, ||, ;, |) and checks every segment
  3. For each segment, strips leading env vars (KEY=val) and path prefixes (/usr/bin/git)
  4. Matches the normalized command against SAFE_COMMANDS using prefix matching