From e87fe6b6c874bc06b8b093e1218d271e416e161a Mon Sep 17 00:00:00 2001
From: jarrodcoulter <jarrodcoulter@users.noreply.github.com>
Date: Fri, 6 Feb 2026 10:57:56 -0600
Subject: [PATCH] Update regex for DEFAULT_DESTRUCTIVE_CMD pattern

Previously matched dd if= only; missed dd if=/... without space. Updated regex to dd\\s+if\\s*= and kept other destructive commands. Tested locally: dd if=/dev/zero... now blocked.
---
 src/patterns.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/patterns.ts b/src/patterns.ts
index 468c211..2fc2b0d 100644
--- a/src/patterns.ts
+++ b/src/patterns.ts
@@ -42,8 +42,9 @@ export const PII_PATTERNS: NamedPattern[] = [
 // ============================================================================
 // Destructive Command Pattern
 // ============================================================================
+// NOTE: dd patterns should catch both "dd if=/..." and variants with spaces around '='.
 
-export const DEFAULT_DESTRUCTIVE_CMD = /\b(rm|rmdir|unlink|del|format|mkfs|dd\s+if=)\b/;
+export const DEFAULT_DESTRUCTIVE_CMD = /\b(rm|rmdir|unlink|del|format|mkfs)\b|\bdd\s+if\s*=/;
 
 // ============================================================================
 // Sensitive File Patterns