bug: classifyShellRisk prefix matching too broad — false read-only classification #63
Description
Bug: Overly Broad Prefix Matching in classifyShellRisk
File: internal/normalizer/normalizer.go
classifyShellRisk uses strings.HasPrefix to classify shell commands as read-only:
var readOnlyCommands = []string{
"ls", "cat", "head", "tail", "grep", "find", "echo",
"pwd", "which", "go test", "go vet",
}
for _, prefix := range readOnlyCommands {
if strings.HasPrefix(trimmed, prefix) {
return action.RiskReadOnly
}
}This causes false positives — commands that start with a read-only prefix but are not read-only will be misclassified:
| Command | Matched prefix | Misclassified as |
|---|---|---|
catalog_tool --delete |
cat |
RiskReadOnly ✗ |
finder.sh --purge |
find |
RiskReadOnly ✗ |
echo 'rm -rf /' | bash |
echo |
RiskReadOnly ✗ |
which_version.sh --install |
which |
RiskReadOnly ✗ |
The last example is particularly concerning — a destructive command piped from echo would be classified as read-only and bypass the destructive check (though governance policies would still block rm -rf).
Fix: Require word boundaries — match command name followed by space, end-of-string, or a flag:
for _, cmd := range readOnlyCommands {
if trimmed == cmd || strings.HasPrefix(trimmed, cmd+" ") {
return action.RiskReadOnly
}
}