Skip to content

fix(auto-approval): handle heredocs safely #10718

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
hannesrudolph wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(auto-approval): handle heredocs safely #10718

hannesrudolph wants to merge 1 commit into from
+83 −3

Conversation

@hannesrudolph
Copy link
Collaborator

@hannesrudolph hannesrudolph commented Jan 14, 2026
edited by ellipsis-dev bot
Loading

Summary

Fixes command auto-approval false positives / hangs caused by parsing heredoc bodies as shell commands and by overly broad zsh process-substitution detection.

Changes

  • Treat heredoc blocks as a single command when parsing for allow/deny decisions.
  • Tighten zsh process-substitution detection so Python-style x=(...) does not trigger it.
  • Add regression tests.

Repro / test case

import json, pathlib
p=pathlib.Path('.roo/tmp/release-notes/temp_pr_inclusion_v3.40.0.json')
data=json.loads(p.read_text(encoding='utf-8'))
data['policy']='linked-only'
data['notes']=(data.get('notes','')+'; policy set to linked-only by user').lstrip('; ')
p.write_text(json.dumps(data, indent=2)+"\n", encoding='utf-8')
print('policy written')
PY

Test

  • cd src && npx vitest run core/auto-approval/__tests__/commands.spec.ts

Important

Fixes command parsing issues by treating heredocs as single commands and refining zsh process substitution detection, with tests added.

  • Behavior:
    • Treat heredoc blocks as single commands in parseCommand() in parse-command.ts.
    • Refine zsh process substitution detection in containsDangerousSubstitution() in commands.ts to avoid false positives with Python-style assignments.
  • Tests:
    • Add tests in commands.spec.ts to verify heredoc handling and zsh process substitution detection.
  • Functions:
    • Add parseHeredocStart() in parse-command.ts to identify heredoc starts and delimiters.

This description was created by Ellipsis for 9ad3492. You can customize this summary. It will automatically update as commits are pushed.

@dosubot dosubot bot added size:M This PR changes 30-99 lines, ignoring generated files. bug Something isn't working labels Jan 14, 2026
@roomote
Copy link
Contributor

roomote bot commented Jan 14, 2026

Oroocle Clock   Follow along on Roo Cloud

Reviewing your PR now. Feedback coming soon!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrubens mrubens Awaiting requested review from mrubens mrubens is a code owner

@cte cte Awaiting requested review from cte cte is a code owner

@jr jr Awaiting requested review from jr jr is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

bug Something isn't working size:M This PR changes 30-99 lines, ignoring generated files.

Projects

Roo Code Roadmap
Status: Triage

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hannesrudolph