From d070b8698d39ecbbb5c617aeec50756566946faf Mon Sep 17 00:00:00 2001
From: teknium1 <teknium1@gmail.com>
Date: Thu, 19 Feb 2026 15:12:02 -0800
Subject: [PATCH] fix: escape file glob patterns in ShellFileOperations

- Updated the file glob and include filters in the ShellFileOperations class to escape shell arguments, preventing unintended shell expansion.
- Added comments to clarify the necessity of quoting for file glob patterns.
---
 tools/file_operations.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/tools/file_operations.py b/tools/file_operations.py
index 73f3f9e9d..64ce6d86a 100644
--- a/tools/file_operations.py
+++ b/tools/file_operations.py
@@ -814,9 +814,9 @@ class ShellFileOperations(FileOperations):
         if context > 0:
             cmd_parts.extend(["-C", str(context)])
         
-        # Add file glob filter
+        # Add file glob filter (must be quoted to prevent shell expansion)
         if file_glob:
-            cmd_parts.extend(["--glob", file_glob])
+            cmd_parts.extend(["--glob", self._escape_shell_arg(file_glob)])
         
         # Output mode handling
         if output_mode == "files_only":
@@ -910,9 +910,9 @@ class ShellFileOperations(FileOperations):
         if context > 0:
             cmd_parts.extend(["-C", str(context)])
         
-        # Add file pattern filter
+        # Add file pattern filter (must be quoted to prevent shell expansion)
         if file_glob:
-            cmd_parts.extend(["--include", file_glob])
+            cmd_parts.extend(["--include", self._escape_shell_arg(file_glob)])
         
         # Output mode handling
         if output_mode == "files_only":