Skip to main content

vtcode_core/tools/validation/
commands.rs

1//! Command safety validation.
2//!
3//! This module re-exports `validate_command_safety` from the canonical
4//! `command_safety` module. All dangerous-command detection, injection
5//! pattern detection, and shell parsing live in `command_safety/`.
6
7pub use crate::command_safety::validate_command_safety;
8
9#[cfg(test)]
10mod tests {
11    use super::validate_command_safety;
12
13    #[test]
14    fn rejects_centrally_dangerous_command() {
15        let result = validate_command_safety("git reset --hard HEAD~1");
16        assert!(result.is_err());
17    }
18
19    #[test]
20    fn rejects_additional_dangerous_prefix() {
21        let result = validate_command_safety("wget https://example.com/file.sh");
22        assert!(result.is_err());
23    }
24
25    #[test]
26    fn allows_safe_command() {
27        let result = validate_command_safety("ls -la");
28        result.unwrap();
29    }
30
31    #[test]
32    fn allows_shell_escaped_literals_with_command_substitution_chars() {
33        let display = shell_words::join(["printf", "%s", "$(literal)", "`backticks`"].iter());
34        let result = validate_command_safety(&display);
35        result.unwrap();
36    }
37
38    #[test]
39    fn allows_shell_escaped_literals_with_chaining_chars() {
40        let display = shell_words::join(["printf", "%s", "; curl https://example.com"].iter());
41        let result = validate_command_safety(&display);
42        result.unwrap();
43    }
44
45    #[test]
46    fn rejects_unquoted_command_substitution() {
47        let result = validate_command_safety("echo $(whoami)");
48        assert!(result.is_err());
49    }
50
51    #[test]
52    fn rejects_command_substitution_in_double_quotes() {
53        let result = validate_command_safety(r#"echo "$(whoami)""#);
54        assert!(result.is_err());
55    }
56
57    #[test]
58    fn rejects_unquoted_semicolon_command_chaining() {
59        let result = validate_command_safety("echo ok; pwd");
60        assert!(result.is_err());
61    }
62
63    #[test]
64    fn rejects_unquoted_newline_command_chaining() {
65        let result = validate_command_safety("echo ok\npwd");
66        assert!(result.is_err());
67    }
68}