From cb747bd04b73bbbbe92cdd6b1290f4c6579f3113 Mon Sep 17 00:00:00 2001 From: BitterPanda Date: Thu, 5 Feb 2026 17:43:57 +0100 Subject: [PATCH 1/2] Also see \r \f amd \v as separators for shell injection --- .../shell_injection/ShellSyntaxChecker.java | 2 +- .../ShellInjectionDetectorTest.java | 21 +++++++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/shell_injection/ShellSyntaxChecker.java b/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/shell_injection/ShellSyntaxChecker.java index f09faf756..87fd0d20e 100644 --- a/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/shell_injection/ShellSyntaxChecker.java +++ b/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/shell_injection/ShellSyntaxChecker.java @@ -10,7 +10,7 @@ public final class ShellSyntaxChecker { private ShellSyntaxChecker() {} private static final List SEPARATORS = Arrays.asList( - " ", "\t", "\n", ";", "&", "|", "(", ")", "<", ">" + " ", "\t", "\n", ";", "&", "|", "(", ")", "<", ">", "\r", "\f", "\u000B" ); public static boolean containsShellSyntax(String command, String userInput) { diff --git a/agent_api/src/test/java/vulnerabilities/shell_injection/ShellInjectionDetectorTest.java b/agent_api/src/test/java/vulnerabilities/shell_injection/ShellInjectionDetectorTest.java index 4267f68fc..aa047d12f 100644 --- a/agent_api/src/test/java/vulnerabilities/shell_injection/ShellInjectionDetectorTest.java +++ b/agent_api/src/test/java/vulnerabilities/shell_injection/ShellInjectionDetectorTest.java @@ -434,4 +434,25 @@ void testItFlagsCommaInLoop() { "for (( i=0, j=10; i Date: Fri, 6 Feb 2026 12:20:16 +0100 Subject: [PATCH 2/2] remove the code for vertical tabs, this is not supported by most shells --- .../shell_injection/ShellSyntaxChecker.java | 2 +- .../shell_injection/ShellInjectionDetectorTest.java | 7 ------- 2 files changed, 1 insertion(+), 8 deletions(-) diff --git a/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/shell_injection/ShellSyntaxChecker.java b/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/shell_injection/ShellSyntaxChecker.java index 87fd0d20e..b4acfb2ef 100644 --- a/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/shell_injection/ShellSyntaxChecker.java +++ b/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/shell_injection/ShellSyntaxChecker.java @@ -10,7 +10,7 @@ public final class ShellSyntaxChecker { private ShellSyntaxChecker() {} private static final List SEPARATORS = Arrays.asList( - " ", "\t", "\n", ";", "&", "|", "(", ")", "<", ">", "\r", "\f", "\u000B" + " ", "\t", "\n", ";", "&", "|", "(", ")", "<", ">", "\r", "\f" ); public static boolean containsShellSyntax(String command, String userInput) { diff --git a/agent_api/src/test/java/vulnerabilities/shell_injection/ShellInjectionDetectorTest.java b/agent_api/src/test/java/vulnerabilities/shell_injection/ShellInjectionDetectorTest.java index aa047d12f..7b5ac880c 100644 --- a/agent_api/src/test/java/vulnerabilities/shell_injection/ShellInjectionDetectorTest.java +++ b/agent_api/src/test/java/vulnerabilities/shell_injection/ShellInjectionDetectorTest.java @@ -448,11 +448,4 @@ void testFormFeedAsSeparator() { assertIsShellInjection("ls\frm", "rm"); assertIsShellInjection("echo test\frm -rf /", "rm"); } - - @Test - void testVerticalTabAsSeparator() { - // \u000B (vertical tab) as separator before dangerous command - assertIsShellInjection("ls\u000Brm", "rm"); - assertIsShellInjection("echo test\u000Brm -rf /", "rm"); - } }