fix(core): properly support allowRedirect in policy engine (#23579)

packages/core/src/utils/shell-utils.test.ts

@@ -19,6 +19,7 @@ import {
   getShellConfiguration,
   initializeShellParsers,
   parseCommandDetails,
+  splitCommands,
   stripShellWrapper,
   hasRedirection,
   resolveExecutable,
@@ -304,6 +305,40 @@ describeWindowsOnly('PowerShell integration', () => {
   });
 });
 
+describe('splitCommands', () => {
+  it('should split chained commands', () => {
+    expect(splitCommands('ls -l && git status')).toEqual([
+      'ls -l',
+      'git status',
+    ]);
+  });
+
+  it('should filter out redirection tokens but keep command parts', () => {
+    // Standard redirection
+    expect(splitCommands('echo "hello" > file.txt')).toEqual(['echo "hello"']);
+    expect(splitCommands('printf "test" >> log.txt')).toEqual([
+      'printf "test"',
+    ]);
+    expect(splitCommands('cat < input.txt')).toEqual(['cat']);
+
+    // Heredoc/Herestring
+    expect(splitCommands('cat << EOF\nhello\nEOF')).toEqual(['cat']);
+    // Note: The Tree-sitter bash parser includes the herestring in the main
+    // command node's text, unlike standard redirections which are siblings.
+    expect(splitCommands('grep "foo" <<< "foobar"')).toEqual([
+      'grep "foo" <<< "foobar"',
+    ]);
+  });
+
+  it('should extract nested commands from process substitution while filtering the redirection operator', () => {
+    // This is the key security test: we want cat to be checked, but not the > >(...) wrapper part
+    const parts = splitCommands('echo "foo" > >(cat)');
+    expect(parts).toContain('echo "foo"');
+    expect(parts).toContain('cat');
+    expect(parts.some((p) => p.includes('>'))).toBe(false);
+  });
+});
+
 describe('stripShellWrapper', () => {
   it('should strip sh -c with quotes', () => {
     expect(stripShellWrapper('sh -c "ls -l"')).toEqual('ls -l');