Conversation
Prevent sandbox-wrapped command lines from leaking as output when commands produce no actual output. Adds stripCommandEchoAndPrompt() to isolate real output from marker-based terminal buffer captures. Also adds configurable idle poll interval and shell integration timeout=0 support for faster test execution.
…utput Anchor prompt-detection regexes to specific prompt shapes instead of broadly matching any line ending with $, #, %, or >. This prevents stripping real command output like "100%", "<div>", or "item #".
In CI, ^C cancellations leave stale prompt fragments before the actual command echo line. The leading-strip loop now continues scanning past unmatched lines until it finds the command echo, instead of breaking on the first non-matching line.
- Add trailing prompt patterns for hostname:path user$ (no @ sign) - Handle wrapped prompt fragments like "er$" at line boundaries - Add stripCommandEchoAndPrompt to RichExecuteStrategy marker fallback - Context-aware wrapped prompt continuation detection
…tripping - Add bubblewrap and socat to Linux CI apt-get install - Make sandbox test assertions platform-aware (macFileSystem vs linuxFileSystem) - Make /etc/shells test accept both macOS and Linux first-line format - Broaden wrapped prompt fragment regex to handle path chars (ts/testWorkspace$) - Fix continuation pattern to match user@host:path wrapped lines - Apply stripCommandEchoAndPrompt to getOutput() in BasicExecuteStrategy (basic shell integration lacks reliable 133;C markers so getOutput() can include command echo) - Keep RichExecuteStrategy getOutput() unstripped (rich integration has reliable markers)
…railing prompt regex matching
…ssage - Handle /usr/bin/bash (Linux) vs /bin/bash (macOS) in /tmp write test - Handle 'Read-only file system' (Linux) vs 'Operation not permitted' (macOS) - Add 'Read-only file system' to outputLooksSandboxBlocked heuristic - Replace newlines with spaces (not empty) to handle terminal wrapping - Extract outputLooksSandboxBlocked as exported function with unit tests
…andbox-no-output-leak
Add execPath to IRemoteAgentEnvironment so the server sends its actual process.execPath to the client. The sandbox service now uses this instead of hardcoding appRoot + '/node', which only works in production builds.
…dle partial command echoes - setupRecreatingStartMarker returns IDisposable to stop marker recreation before sending commands (prevents marker jumping on PSReadLine re-renders) - noneExecuteStrategy waits for cursor to move past start line after sendText before starting idle detection (prevents end marker at same line as start) - findCommandEcho supports suffix matching for partial command echoes from wrapped getOutput() results (shell integration ON with long commands) - Suffix matching requires mid-word split to avoid false positives on output that happens to be a suffix of the command (e.g. echo output) - Integration tests: use ; separator on Windows, add && conversion test, handle Windows exit code quirks with cmd /c
- Strip sensitive data from debug logs (log metadata only) - Use array join instead of O(n^2) string concat in stripNewLinesAndBuildMapping - Add 5s timeout to cursor-move wait to prevent indefinite hangs - Align shellIntegrationTimeout descriptions (0 = skip the wait)
These are required for terminal sandbox integration tests.
Shell integration cannot be injected into /bin/sh, causing loss of exit code detection. This matches the existing cmd.exe -> powershell override pattern.
… lines - Extend bracketed prompt patterns from isUnixAt to isUnix so prompts like [W007DV9PF9-1:~/path] are recognized (CI macOS prompt format) - Cap trailing prompt stripping at 2 non-empty lines to prevent over-stripping legitimate output - Add unit tests for bracketed prompt without @ format
Split trailing prompt patterns into two categories: - Complete prompts (user@host:~ $, PS C:\>, etc.) stop stripping immediately — anything above is command output, not a wrapped prompt - Fragment patterns (er$, ] $, [host:~/path...) allow continued stripping to reassemble wrapped prompts This prevents falsely stripping output lines that happen to end with $ or # when a real complete prompt sits below them. Added adversarial tests verifying correct behavior for output containing prompt-like characters.
… idle detection, improve sandbox failure detection, force bash over sh (#303754) * fix: strip command echo and prompt from terminal output (#303531) Prevent sandbox-wrapped command lines from leaking as output when commands produce no actual output. Adds stripCommandEchoAndPrompt() to isolate real output from marker-based terminal buffer captures. Also adds configurable idle poll interval and shell integration timeout=0 support for faster test execution. * Fix compilation errors * fix: tighten trailing prompt stripping to avoid dropping legitimate output Anchor prompt-detection regexes to specific prompt shapes instead of broadly matching any line ending with $, #, %, or >. This prevents stripping real command output like "100%", "<div>", or "item #". * Review feedback * fix: skip stale prompt fragments before command echo in stripping In CI, ^C cancellations leave stale prompt fragments before the actual command echo line. The leading-strip loop now continues scanning past unmatched lines until it finds the command echo, instead of breaking on the first non-matching line. * fix: handle macOS CI prompt format and add stripping to rich strategy - Add trailing prompt patterns for hostname:path user$ (no @ sign) - Handle wrapped prompt fragments like "er$" at line boundaries - Add stripCommandEchoAndPrompt to RichExecuteStrategy marker fallback - Context-aware wrapped prompt continuation detection * fix: Linux CI sandbox prereqs, platform-aware tests, broader prompt stripping - Add bubblewrap and socat to Linux CI apt-get install - Make sandbox test assertions platform-aware (macFileSystem vs linuxFileSystem) - Make /etc/shells test accept both macOS and Linux first-line format - Broaden wrapped prompt fragment regex to handle path chars (ts/testWorkspace$) - Fix continuation pattern to match user@host:path wrapped lines - Apply stripCommandEchoAndPrompt to getOutput() in BasicExecuteStrategy (basic shell integration lacks reliable 133;C markers so getOutput() can include command echo) - Keep RichExecuteStrategy getOutput() unstripped (rich integration has reliable markers) * fix: detect sandbox failures heuristically when exit code is unavailable * Relax some tests when shell integration is off * refactor: extract findCommandEcho and use prompt evidence to narrow trailing prompt regex matching * Cover case where the command is duplicated in `stripCommandEchoAndPrompt` * Fix sandbox tests for Linux: handle different shell path and error message - Handle /usr/bin/bash (Linux) vs /bin/bash (macOS) in /tmp write test - Handle 'Read-only file system' (Linux) vs 'Operation not permitted' (macOS) - Add 'Read-only file system' to outputLooksSandboxBlocked heuristic - Replace newlines with spaces (not empty) to handle terminal wrapping - Extract outputLooksSandboxBlocked as exported function with unit tests * Fix slash history test * Fix sandbox execPath resolution for remote environments Add execPath to IRemoteAgentEnvironment so the server sends its actual process.execPath to the client. The sandbox service now uses this instead of hardcoding appRoot + '/node', which only works in production builds. * Fix terminal output capture: prevent premature idle detection and handle partial command echoes - setupRecreatingStartMarker returns IDisposable to stop marker recreation before sending commands (prevents marker jumping on PSReadLine re-renders) - noneExecuteStrategy waits for cursor to move past start line after sendText before starting idle detection (prevents end marker at same line as start) - findCommandEcho supports suffix matching for partial command echoes from wrapped getOutput() results (shell integration ON with long commands) - Suffix matching requires mid-word split to avoid false positives on output that happens to be a suffix of the command (e.g. echo output) - Integration tests: use ; separator on Windows, add && conversion test, handle Windows exit code quirks with cmd /c * Fix mock in unit test * Address PR feedback: logging, performance, timeout, and docs - Strip sensitive data from debug logs (log metadata only) - Use array join instead of O(n^2) string concat in stripNewLinesAndBuildMapping - Add 5s timeout to cursor-move wait to prevent indefinite hangs - Align shellIntegrationTimeout descriptions (0 = skip the wait) * Install bubblewrap and socat in Linux CI pipelines These are required for terminal sandbox integration tests. * Force /bin/bash over /bin/sh for copilot terminal profile Shell integration cannot be injected into /bin/sh, causing loss of exit code detection. This matches the existing cmd.exe -> powershell override pattern. * Fix bracketed prompt without @ and cap trailing prompt stripping at 2 lines - Extend bracketed prompt patterns from isUnixAt to isUnix so prompts like [W007DV9PF9-1:~/path] are recognized (CI macOS prompt format) - Cap trailing prompt stripping at 2 non-empty lines to prevent over-stripping legitimate output - Add unit tests for bracketed prompt without @ format * Distinguish complete vs fragment prompts to prevent false stripping Split trailing prompt patterns into two categories: - Complete prompts (user@host:~ $, PS C:\>, etc.) stop stripping immediately — anything above is command output, not a wrapped prompt - Fragment patterns (er$, ] $, [host:~/path...) allow continued stripping to reassemble wrapped prompts This prevents falsely stripping output lines that happen to end with $ or # when a real complete prompt sits below them. Added adversarial tests verifying correct behavior for output containing prompt-like characters. * Attempt to cover up the `run_in_terminal` tool not being registered quickly
…3846) * fix: exclude sandbox analyzer when sandbox rewriting is disabled When `ConfirmTerminalCommandTool` (used by CLI for `vscode_get_terminal_confirmation`) disables sandbox command rewriting via `_enableCommandLineSandboxRewriting = false`, the `CommandLineSandboxAnalyzer` was still active and returning `forceAutoApproval: true`. This caused the confirmation to be skipped even though the command would not actually be sandboxed. Guard `CommandLineSandboxAnalyzer` with the same `_enableCommandLineSandboxRewriting` check that already guards `CommandLineSandboxRewriter`. Fixes microsoft/vscode-internalbacklog#7187 * update doc comment for _enableCommandLineSandboxRewriting * clarify test name per review feedback
* fix: remove escapeMarkdownSyntaxTokens from terminal command labels Fixes #303844 The command text in ChatTerminalThinkingCollapsibleWrapper was being escaped with escapeMarkdownSyntaxTokens(), which adds backslashes before chars like - * # etc. This is unnecessary because the text is always rendered inside markdown code spans or via .textContent, both of which treat content as literal. Also adds a component fixture for the terminal collapsible wrapper to enable visual regression testing of command label rendering. * fix: use DOM nodes instead of MarkdownString for sandbox command labels Addresses review feedback: commands containing backticks (common in PowerShell) would break the inline-code markdown spans. Now both sandbox and non-sandbox paths use text nodes + <code> elements with .textContent, which is always safe for arbitrary command text. Also adds fixture cases for backtick-containing commands to catch this class of issue. * fix: remove colons from fixture names to fix CI artifact paths * add screenshot baselines for terminal collapsible fixtures
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )