fix(hooks): preserve commands after shell comments

[JSONbored]

Motivation

• The shell comment stripper (strip_shell_comments) in content/hooks/package-download-checksum-guard-hook.mdx used break when encountering an unquoted # at a shell word boundary, which truncated multi-line commands and allowed downloads after a comment to bypass verification checks.

Description

• Replace the break inside strip_shell_comments with logic that advances to the next newline and continues so the parser skips the comment only through the current line and then resumes scanning the remainder of the command text.
• Apply the same minimal change to both copies of the hook present in the file: the installCommand-generated hook and the scriptBody copy.
• The fix preserves existing behavior for quoted or escaped # characters and keeps command_without_comments semantics while preventing multi-line bypasses.

Testing

• Ran bash -n /tmp/package-download-checksum-guard.sh to validate hook syntax, which succeeded.
• Executed functional PoC inputs against the extracted hook and observed expected outcomes: curl -LO https://example.com/pkg.zip is blocked without verification, # setup note\ncurl -LO https://example.com/pkg.zip is now blocked (no bypass), echo ok # setup note\ncurl -LO https://example.com/pkg.zip is blocked, quoted # strings are preserved, and a download followed by a real sha256sum -c verification is allowed.
• Ran pnpm validate:content:strict which passed for content validation.

---

Codex Task

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• content/hooks/package-download-checksum-guard-hook.mdx is excluded by !content/**

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 8335c8ef-fa58-48ff-9ea4-8120f73036c8

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/fix-vulnerability-in-comment-stripping-logic

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[reviewwed]

Tip

✅ Accepted and merged

Accepted by the maintainer gate.

Status

✅ Verdict: merge
✅ Confidence: 95%
ℹ️ Reason: dual_review_approved
ℹ️ Scope: content/hooks/package-download-checksum-guard-hook.mdx · hooks · package-download-checksum-guard-hook
ℹ️ Formatter: gate-comment-v5

Summary

• Both reviewers approve (97% / 95%).

ℹ️ · Source Review

• documentationUrl https://www.gnu.org/software/coreutils/manual/html_node/sha2-utilities.html → source_host_not_checked
• repoUrl https://git.savannah.gnu.org/cgit/coreutils.git → source_host_not_checked
• sourceUrls https://www.gnu.org/software/coreutils/manual/html_node/sha2-utilities.html → source_host_not_checked
• sourceUrls https://git.savannah.gnu.org/cgit/coreutils.git → source_host_not_checked
• sourceUrls https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow → HTTP 200
• sourceUrls https://slsa.dev/spec/v1.2/requirements → source_host_not_checked
• sourceUrls https://docs.sigstore.dev/cosign/verifying/verify/ → source_host_not_checked
• sourceUrls https://curl.se/docs/manpage.html → source_host_not_checked

ℹ️ · Duplicate and History Review

• No duplicate or related entries found in the accepted corpus.

ℹ️ · Independent reviews (dual-AI)

• Reviewer A (gpt-oss-120b): merge · 97% — Hook is in‑scope, well‑documented with valid sources, non‑duplicate, and includes safety controls; ready to merge.
• Reviewer B (nemotron-3-120b-a12b): merge · 95% — Hook is in-scope, source-backed, non-duplicate, and contains only defensive security content.

---

Automation notes

• Automated review by HeyClaude Maintainer Agent.
• This content-only PR passed content validation, Superagent, and private review. HeyClaude merges accepted source PRs directly; generated artifacts are produced at build/deploy time.

Thanks for using HeyClaude to keep Claude and AI workflow submissions source-backed and useful. If this gate helped, consider starring or forking JSONbored/awesome-claude.

❤️ Share

• X
• Reddit
• LinkedIn
• Fork HeyClaude

[superagent-security]

Superagent didn't find any vulnerabilities or security issues in this PR.

[reviewwed]

Both reviewers approve (97% / 95%).