DataDog · AlexandreYang · Mar 10, 2026 · Mar 10, 2026 · Mar 10, 2026 · Mar 10, 2026
@@ -12,7 +12,7 @@ Blocked features are rejected before execution with exit code 2.
 - ✅ `echo [-neE] [ARG]...` — write arguments to stdout; `-n` suppresses trailing newline, `-e` enables backslash escapes, `-E` disables them (default)
 - ✅ `exit [N]` — exit the shell with status N (default 0)
 - ✅ `false` — return exit code 1
-- ✅ `find [-L] [PATH...] [EXPRESSION]` — search for files in a directory hierarchy; supports `-name`, `-iname`, `-path`, `-ipath`, `-type`, `-size`, `-empty`, `-newer`, `-mtime`, `-mmin`, `-maxdepth`, `-mindepth`, `-print`, `-print0`, `-prune`, logical operators (`!`, `-a`, `-o`, `()`); blocks `-exec`, `-delete`, `-regex` for sandbox safety
+- ✅ `find [-L] [PATH...] [EXPRESSION]` — search for files in a directory hierarchy; supports `-name`, `-iname`, `-path`, `-ipath`, `-type`, `-size`, `-empty`, `-newer`, `-mtime`, `-mmin`, `-maxdepth`, `-mindepth`, `-print`, `-print0`, `-prune`, `-exec cmd {} \;`, `-exec cmd {} +`, `-execdir cmd {} \;`, `-execdir cmd {} +`, logical operators (`!`, `-a`, `-o`, `()`); `-exec`/`-execdir` execute only shell builtins (not external binaries); blocks `-delete`, `-regex` for sandbox safety
 - ✅ `grep [-EFGivclLnHhoqsxw] [-e PATTERN] [-m NUM] [-A NUM] [-B NUM] [-C NUM] PATTERN [FILE]...` — print lines that match patterns; uses RE2 regex engine (linear-time, no backtracking)
 - ✅ `head [-n N|-c N] [-q|-v] [FILE]...` — output the first part of files (default: first 10 lines); `-z`/`--zero-terminated` and `--follow` are rejected
 - ✅ `sort [-rnubfds] [-k KEYDEF] [-t SEP] [-c|-C] [FILE]...` — sort lines of text files; `-o`, `--compress-program`, and `-T` are rejected (filesystem write / exec)

@@ -72,6 +72,7 @@ var builtinPerCommandSymbols = map[string][]string{
 		"errors.New",                      // creates a simple error value; pure function, no I/O.
 		"fmt.Errorf",                      // error formatting; pure function, no I/O.
 		"io.EOF",                          // sentinel error value; pure constant.
+		"io.Writer",                       // interface type for writing; no side effects by itself.
 		"io/fs.FileInfo",                  // interface type for file information; no side effects.
 		"io/fs.ModeDir",                   // file mode bit constant for directories; pure constant.
 		"io/fs.ModeNamedPipe",             // file mode bit constant for named pipes; pure constant.
@@ -83,11 +84,16 @@ var builtinPerCommandSymbols = map[string][]string{
 		"math.MaxInt64",                   // integer constant; no side effects.
 		"os.IsNotExist",                   // checks if error is "not exist"; pure function, no I/O.
 		"os.PathError",                    // error type for path operations; pure type.
+		"path.Base",                       // extracts last element of path (always uses /); pure function, no I/O.
+		"path.Clean",                      // cleans a path (removes trailing slashes, double slashes); pure function, no I/O.
+		"path.Dir",                        // extracts directory from path (always uses /); pure function, no I/O.
 		"path/filepath.ToSlash",           // converts OS path separators to forward slashes; pure function, no I/O.
 		"strconv.Atoi",                    // string-to-int conversion; pure function, no I/O.
 		"strconv.ErrRange",                // sentinel error value for overflow; pure constant.
 		"strconv.ParseInt",                // string-to-int conversion; pure function, no I/O.
+		"strings.Contains",                // checks if a substring is present; pure function, no I/O.
 		"strings.HasPrefix",               // pure function for prefix matching; no I/O.
+		"strings.ReplaceAll",              // replaces all occurrences of a substring; pure function, no I/O.
 		"strings.ToLower",                 // converts string to lowercase; pure function, no I/O.
 		"time.Duration",                   // duration type; pure integer alias, no I/O.
 		"time.Hour",                       // constant representing one hour; no side effects.
@@ -336,6 +342,9 @@ var builtinAllowedSymbols = []string{
 	"os.IsNotExist",                   // checks if error is "not exist"; pure function, no I/O.
 	"os.O_RDONLY",                     // read-only file flag constant; cannot open files by itself.
 	"os.PathError",                    // error type for filesystem path errors; pure type, no I/O.
+	"path.Base",                       // extracts last element of a path (always uses /); pure function, no I/O.
+	"path.Clean",                      // cleans a path (removes trailing slashes, double slashes); pure function, no I/O.
+	"path.Dir",                        // extracts directory part of a path (always uses /); pure function, no I/O.
 	"path/filepath.ToSlash",           // converts OS path separators to forward slashes; pure function, no I/O.
 	"regexp.Compile",                  // compiles a regular expression; pure function, no I/O. Uses RE2 engine (linear-time, no backtracking).
 	"regexp.QuoteMeta",                // escapes all special regex characters in a string; pure function, no I/O.
@@ -355,6 +364,7 @@ var builtinAllowedSymbols = []string{
 	"strconv.ParseInt",                // string-to-int conversion with base/bit-size; pure function, no I/O.
 	"strconv.ParseUint",               // string-to-unsigned-int conversion; pure function, no I/O.
 	"strings.Builder",                 // efficient string concatenation; pure in-memory buffer, no I/O.
+	"strings.Contains",                // checks if a substring is present; pure function, no I/O.
 	"strings.ContainsRune",            // checks if a rune is in a string; pure function, no I/O.
 	"strings.HasPrefix",               // pure function for prefix matching; no I/O.
 	"strings.IndexByte",               // finds byte in string; pure function, no I/O.

@@ -128,6 +128,13 @@ type CallContext struct {
 	// via GetFileInformationByHandle. The path parameter is needed on Windows
 	// where FileInfo.Sys() lacks identity fields; Unix ignores it.
 	FileIdentity func(path string, info fs.FileInfo) (FileID, bool)
+
+	// ExecCommand executes a builtin command within the shell interpreter.
+	// Used by find -exec/-execdir to invoke other builtins. The command
+	// runs with the same sandbox restrictions as the calling builtin.
+	// dir overrides the working directory for the command (empty = inherit).
+	// Returns the command's exit code.
+	ExecCommand func(ctx context.Context, args []string, dir string, stdout, stderr io.Writer) (uint8, error)
 }
 
 // Out writes a string to stdout.

@@ -7,8 +7,11 @@ package find
 
 import (
 	"context"
+	"io"
 	iofs "io/fs"
 	"math"
+	"path"
+	"strings"
 	"time"
 
 	"github.com/DataDog/rshell/builtins"
@@ -20,19 +23,24 @@ type evalResult struct {
 	prune   bool // skip descending into this directory
 }
 
+// execCommandFunc is the signature for executing a builtin command.
+type execCommandFunc func(ctx context.Context, args []string, dir string, stdout, stderr io.Writer) (uint8, error)
+
 // evalContext holds state needed during expression evaluation.
 type evalContext struct {
 	callCtx     *builtins.CallContext
 	ctx         context.Context
 	now         time.Time
-	relPath     string               // path relative to starting point
-	info        iofs.FileInfo        // file info (lstat or stat depending on -L)
-	depth       int                  // current depth
-	printPath   string               // path to print (includes starting point prefix)
-	newerCache  map[string]time.Time // cached -newer reference file modtimes
-	newerErrors map[string]bool      // tracks which -newer reference files failed to stat
-	followLinks bool                 // true when -L is active
-	failed      bool                 // set by predicates that encounter errors
+	relPath     string                 // path relative to starting point
+	info        iofs.FileInfo          // file info (lstat or stat depending on -L)
+	depth       int                    // current depth
+	printPath   string                 // path to print (includes starting point prefix)
+	newerCache  map[string]time.Time   // cached -newer reference file modtimes
+	newerErrors map[string]bool        // tracks which -newer reference files failed to stat
+	followLinks bool                   // true when -L is active
+	failed      bool                   // set by predicates that encounter errors
+	execCommand execCommandFunc        // callback for -exec/-execdir
+	batchAccum  map[*expr][]batchEntry // accumulated paths for batch exec (+)
 }
 
 // evaluate evaluates an expression tree against a file. If e is nil, returns
@@ -105,6 +113,12 @@ func evaluate(ec *evalContext, e *expr) evalResult {
 	case exprPrune:
 		return evalResult{matched: true, prune: true}
 
+	case exprExec:
+		return evalExec(ec, e, false)
+
+	case exprExecDir:
+		return evalExec(ec, e, true)
+
 	case exprTrue:
 		return evalResult{matched: true}
 
@@ -248,3 +262,85 @@ func evalMmin(ec *evalContext, n int64, cmp cmpOp) bool {
 		return mins == n
 	}
 }
+
+// evalExec evaluates a -exec or -execdir predicate.
+// For `;` mode: executes the command immediately, returns matched=true if exit 0.
+// For `+` mode: accumulates the path for later batch execution, returns matched=true.
+func evalExec(ec *evalContext, e *expr, isExecDir bool) evalResult {
+	if ec.execCommand == nil {
+		ec.callCtx.Errf("find: -exec/-execdir: command execution not available\n")
+		ec.failed = true
+		return evalResult{matched: false}
+	}
+
+	var filePath string
+	var dir string
+	if isExecDir {
+		clean := path.Clean(ec.printPath)
+		if clean == "." {
+			// Start directory itself: GNU find outputs "." not "./.".
+			filePath = "."
+		} else {
+			dir = path.Dir(clean)
+			if dir == "." {
+				dir = ""
+			}
+			filePath = "./" + path.Base(clean)
+		}
+	} else {
+		filePath = ec.printPath
+	}
+
+	// Batch mode: accumulate path for later execution.
+	// Paths are collected without limit here; executeBatch chunks them into
+	// groups of maxExecArgs to match GNU find behaviour (process all matches
+	// in multiple invocations rather than silently dropping entries).
+	if e.execBatch {
+		if ec.batchAccum != nil {
+			entries := ec.batchAccum[e]
+			// Pre-allocate on first entry to reduce slice growth overhead.
+			if entries == nil {
+				const initialBatchCap = 64
+				entries = make([]batchEntry, 0, initialBatchCap)
+			}
+			ec.batchAccum[e] = append(entries, batchEntry{filePath: filePath, dir: dir})
+		}
+		return evalResult{matched: true}
+	}
+
+	// Single mode (;): execute immediately.
+	// GNU find treats per-file -exec failures as a false predicate result
+	// (continuing traversal) rather than a global fatal error. Only batch
+	// mode (+) propagates errors to the global exit code.
+	args := buildExecArgs(e.execArgs, filePath)
+	code, err := ec.execCommand(ec.ctx, args, dir, ec.callCtx.Stdout, ec.callCtx.Stderr)
+	if err != nil {
+		ec.callCtx.Errf("find: %s: %v\n", args[0], err)
+		return evalResult{matched: false}
+	}
+	return evalResult{matched: code == 0}
+}
+
+// buildExecArgs replaces {} with filePath in exec arguments.
+func buildExecArgs(template []string, filePath string) []string {
+	args := make([]string, len(template))
+	for i, arg := range template {
+		args[i] = strings.ReplaceAll(arg, "{}", filePath)
+	}
+	return args
+}
+
+// collectExecExprs finds all -exec/-execdir batch mode expressions in the tree.
+func collectExecExprs(e *expr) []*expr {
+	if e == nil {
+		return nil
+	}
+	var result []*expr
+	if (e.kind == exprExec || e.kind == exprExecDir) && e.execBatch {
+		result = append(result, e)
+	}
+	result = append(result, collectExecExprs(e.left)...)
+	result = append(result, collectExecExprs(e.right)...)
+	result = append(result, collectExecExprs(e.operand)...)
+	return result
+}
@@ -24,24 +24,26 @@ const (
 type exprKind int
 
 const (
-	exprName   exprKind = iota // -name pattern
-	exprIName                  // -iname pattern
-	exprPath                   // -path pattern
-	exprIPath                  // -ipath pattern
-	exprType                   // -type c
-	exprSize                   // -size n[cwbkMG]
-	exprEmpty                  // -empty
-	exprNewer                  // -newer file
-	exprMtime                  // -mtime n
-	exprMmin                   // -mmin n
-	exprPrint                  // -print
-	exprPrint0                 // -print0
-	exprPrune                  // -prune
-	exprTrue                   // -true
-	exprFalse                  // -false
-	exprAnd                    // expr -a expr  or  expr expr (implicit)
-	exprOr                     // expr -o expr
-	exprNot                    // ! expr  or  -not expr
+	exprName    exprKind = iota // -name pattern
+	exprIName                   // -iname pattern
+	exprPath                    // -path pattern
+	exprIPath                   // -ipath pattern
+	exprType                    // -type c
+	exprSize                    // -size n[cwbkMG]
+	exprEmpty                   // -empty
+	exprNewer                   // -newer file
+	exprMtime                   // -mtime n
+	exprMmin                    // -mmin n
+	exprPrint                   // -print
+	exprPrint0                  // -print0
+	exprPrune                   // -prune
+	exprExec                    // -exec command {} ;
+	exprExecDir                 // -execdir command {} ;
+	exprTrue                    // -true
+	exprFalse                   // -false
+	exprAnd                     // expr -a expr  or  expr expr (implicit)
+	exprOr                      // expr -o expr
+	exprNot                     // ! expr  or  -not expr
 )
 
 // cmpOp represents a comparison operator for numeric predicates.
@@ -73,21 +75,28 @@ type sizeUnit struct {
 	unit byte  // one of: c w b k M G (default 'b' if omitted)
 }
 
+// maxExecArgs limits the number of arguments that can be accumulated in
+// -exec/-execdir batch mode (+) to prevent memory exhaustion.
+const maxExecArgs = 10000
+
 // expr is a node in the find expression AST.
 type expr struct {
-	kind    exprKind
-	strVal  string   // pattern for name/iname/path/ipath, type char, file path for newer
-	sizeVal sizeUnit // for -size
-	numVal  int64    // for -mtime, -mmin
-	numCmp  cmpOp    // comparison operator for numeric predicates
-	left    *expr    // for and/or
-	right   *expr    // for and/or
-	operand *expr    // for not
+	kind      exprKind
+	strVal    string   // pattern for name/iname/path/ipath, type char, file path for newer
+	sizeVal   sizeUnit // for -size
+	numVal    int64    // for -mtime, -mmin
+	numCmp    cmpOp    // comparison operator for numeric predicates
+	left      *expr    // for and/or
+	right     *expr    // for and/or
+	operand   *expr    // for not
+	execArgs  []string // for -exec/-execdir: command and arguments (with {} placeholder)
+	execBatch bool     // for -exec/-execdir: true if terminated by + (batch mode)
 }
 
 // isAction returns true if this expression is an output action.
 func (e *expr) isAction() bool {
-	return e.kind == exprPrint || e.kind == exprPrint0
+	return e.kind == exprPrint || e.kind == exprPrint0 ||
+		e.kind == exprExec || e.kind == exprExecDir
 }
 
 // hasAction checks if any node in the expression tree is an action.
@@ -120,8 +129,6 @@ type parseResult struct {
 
 // blocked predicates that are forbidden for sandbox safety.
 var blockedPredicates = map[string]string{
-	"-exec":    "arbitrary command execution is blocked",
-	"-execdir": "arbitrary command execution is blocked",
 	"-delete":  "file deletion is blocked",
 	"-ok":      "interactive execution is blocked",
 	"-okdir":   "interactive execution is blocked",
@@ -311,6 +318,10 @@ func (p *parser) parsePrimary() (*expr, error) {
 		return p.parseNumericPredicate(exprMtime)
 	case "-mmin":
 		return p.parseNumericPredicate(exprMmin)
+	case "-exec":
+		return p.parseExecPredicate(exprExec)
+	case "-execdir":
+		return p.parseExecPredicate(exprExecDir)
 	case "-print":
 		return &expr{kind: exprPrint}, nil
 	case "-print0":
@@ -459,6 +470,60 @@ func (p *parser) parseDepthOption(isMax bool) (*expr, error) {
 	return &expr{kind: exprTrue}, nil
 }
 
+// parseExecPredicate parses -exec/-execdir arguments.
+// Syntax: -exec command [args...] ;
+//
+//	-exec command [args...] {} +
+//
+// The `;` terminator must be a separate argument (the shell handles `\;`).
+// The `+` terminator enables batch mode (multiple files per invocation);
+// in batch mode `{}` must be the last argument before `+`.
+// `{}` is optional in `;` mode — when absent, the command runs without
+// the matched path in its arguments (matching GNU find behaviour).
+func (p *parser) parseExecPredicate(kind exprKind) (*expr, error) {
+	name := "-exec"
+	if kind == exprExecDir {
+		name = "-execdir"
+	}
+	if p.pos >= len(p.args) {
+		return nil, fmt.Errorf("find: %s: missing command", name)
+	}
+
+	// maxExecCmdArgs limits the number of fixed arguments in an -exec/-execdir
+	// command template to prevent pathological parser inputs.
+	const maxExecCmdArgs = 1024
+
+	var cmdArgs []string
+	placeholderCount := 0
+	for p.pos < len(p.args) {
+		tok := p.args[p.pos]
+		p.pos++
+
+		if tok == ";" {
+			if len(cmdArgs) == 0 {
+				return nil, fmt.Errorf("find: %s: missing command", name)
+			}
+			return &expr{kind: kind, execArgs: cmdArgs, execBatch: false}, nil
+		}
+		if tok == "+" && placeholderCount > 0 && len(cmdArgs) > 0 && cmdArgs[len(cmdArgs)-1] == "{}" {
+			// Batch mode: {} must be the last arg before +.
+			// GNU find rejects multiple {} in batch mode.
+			if placeholderCount > 1 {
+				return nil, fmt.Errorf("find: %s: only one instance of '{}' is supported with -exec ... +", name)
+			}
+			return &expr{kind: kind, execArgs: cmdArgs, execBatch: true}, nil
+		}
+		if strings.Contains(tok, "{}") {
+			placeholderCount++
+		}
+		cmdArgs = append(cmdArgs, tok)
+		if len(cmdArgs) > maxExecCmdArgs {
+			return nil, fmt.Errorf("find: %s: too many arguments (limit %d)", name, maxExecCmdArgs)
+		}
+	}
+	return nil, fmt.Errorf("find: missing terminator for %s (expected ';' or '+')", name)
+}
+
 // parseSize parses a -size argument like "+10k", "-5M", "100c".
 func parseSize(s string) (sizeUnit, error) {
 	if len(s) == 0 {
@@ -541,6 +606,10 @@ func (k exprKind) String() string {
 		return "-or"
 	case exprNot:
 		return "-not"
+	case exprExec:
+		return "-exec"
+	case exprExecDir:
+		return "-execdir"
 	default:
 		return "unknown"
 	}