From 38ca55a8eb68f937b9adc0e4624e63ca4bfaa999 Mon Sep 17 00:00:00 2001 From: Spencer Date: Tue, 10 Mar 2026 23:03:19 +0000 Subject: [PATCH] fix(policy): update comments for escapeRegex usage in pattern builders - Reverted the removal of `escapeRegex` around `JSON.stringify()` in `buildFilePathArgsPattern` and `buildPatternArgsPattern`. As pointed out in PR review #20361, `escapeRegex` is required to prevent Regular Expression control characters (like `.` or `+` in filenames) from acting as regex wildcards, which could allow overly broad policy matches (e.g. `foo.ts` matching `fooXts`). - Removed the old comment documenting LLM generation. - Added explanatory comments explaining exactly why `escapeRegex` is necessary for safety when matching literal stringified arguments. --- packages/core/src/policy/utils.ts | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/packages/core/src/policy/utils.ts b/packages/core/src/policy/utils.ts index bec3e9e0cd..f16baa6c0f 100644 --- a/packages/core/src/policy/utils.ts +++ b/packages/core/src/policy/utils.ts @@ -97,10 +97,10 @@ export function buildArgsPatterns( * @returns A regex string that matches "file_path":"" in a JSON string. */ export function buildFilePathArgsPattern(filePath: string): string { - // JSON.stringify safely encodes the path (handling quotes, backslashes, etc) - // and wraps it in double quotes. We simply prepend the key name and escape - // the entire sequence for Regex matching without any slicing. const encodedPath = JSON.stringify(filePath); + // We must wrap the JSON string in escapeRegex to ensure regex control characters + // (like '.' in file extensions) are treated as literals, preventing overly broad + // matches (e.g. 'foo.ts' matching 'fooXts'). return escapeRegex(`"file_path":${encodedPath}`); } @@ -113,5 +113,6 @@ export function buildFilePathArgsPattern(filePath: string): string { */ export function buildPatternArgsPattern(pattern: string): string { const encodedPattern = JSON.stringify(pattern); + // We use escapeRegex to ensure regex control characters are treated as literals. return escapeRegex(`"pattern":${encodedPattern}`); }