fix: allow curl/wget with stderr redirects in plan mode bash allowlist

claude · claude · commit 463b0b68228b · 2026-03-03T20:04:28.000Z
The `>` redirect detection in isSafeCommand() was falsely blocking common curl patterns like `curl ... 2>/dev/null` and `curl ... 2>&1 | head`. This prevented agents from fetching web content (e.g. via jina.ai or markdown.new) during planning mode. Fix: strip safe fd redirects (2>/dev/null, 2>&1, &>/dev/null) from the command before checking against destructive patterns, while still blocking actual file redirects like `> output.txt`. https://claude.ai/code/session_01Jk1P5aZPERSzrmA9urfb4B
diff --git a/apps/pi-extension/utils.ts b/apps/pi-extension/utils.ts
@@ -46,7 +46,15 @@ const SAFE_PATTERNS = [
 ];
 
 export function isSafeCommand(command: string): boolean {
-  const isDestructive = DESTRUCTIVE_PATTERNS.some((p) => p.test(command));
+  // Strip safe fd redirects before checking destructive patterns.
+  // This prevents common patterns like `curl ... 2>/dev/null` or
+  // `curl ... 2>&1 | head` from being falsely blocked by the `>` rule.
+  const normalized = command
+    .replace(/\s*\d*>\s*\/dev\/null/g, "")  // N>/dev/null (any fd to /dev/null)
+    .replace(/\s*\d*>&\d+/g, "")            // N>&M (fd merges, e.g. 2>&1)
+    .replace(/\s*&>\s*\/dev\/null/g, "");    // &>/dev/null (bash shorthand)
+
+  const isDestructive = DESTRUCTIVE_PATTERNS.some((p) => p.test(normalized));
   const isSafe = SAFE_PATTERNS.some((p) => p.test(command));
   return !isDestructive && isSafe;
 }
