Finding
File: cli/src/security.ts:409-428
Severity: HIGH
Description
The validatePrompt() function attempts to block shell command injection patterns but has several validation gaps that could allow malicious input to bypass security checks.
Specific Issues
1. Redirection false negatives (lines 423-426):
The patterns />\s*[/~]/ and />\s*\w+\.\w+/ only match redirects to paths starting with /, ~, or file extensions. This misses:
- Relative paths:
> foo/bar.txt
- Simple filenames:
> output
- Stderr redirects:
2>, 2>&1
2. Command substitution variants:
Only checks $(...) and backticks, missing:
- Heredocs:
<< EOF
- Process substitution:
<(cmd), >(cmd)
3. Command chaining false positives (lines 419-420):
The && and || patterns check for common shell commands after the operators, but this creates maintainability risk and can be bypassed with less common commands or aliases.
Severity Rationale
- User prompts are passed to bash scripts via heredoc or quoted arguments
- Incomplete validation could allow command injection if escaping elsewhere is insufficient
- However, the defense-in-depth approach (multiple validation layers) mitigates this
- Rated HIGH (not CRITICAL) because other layers may catch these patterns
Recommendation
-
Strengthen redirection detection to catch all variants:
{ pattern: /[12]?>&?[12]/, description: "file/stderr redirection" }
{ pattern: />\s*[\w./~-]+/, description: "file redirection" }
-
Add heredoc and process substitution detection:
{ pattern: /<<-?\s*\w+/, description: "heredoc" }
{ pattern: /<\(|>\(/, description: "process substitution" }
-
Consider a positive validation approach (allowlist safe patterns) rather than blocklist
-
Add comprehensive test coverage for edge cases in cli/src/__tests__/security.test.ts
Attack Vector
An attacker could craft a prompt like:
spawn claude hetzner --prompt "Build a server > /tmp/payload"
While this specific example might be caught by other validation layers, the gaps in pattern matching create risk.
Filed by: security/code-scanner
Finding
File: cli/src/security.ts:409-428
Severity: HIGH
Description
The
validatePrompt()function attempts to block shell command injection patterns but has several validation gaps that could allow malicious input to bypass security checks.Specific Issues
1. Redirection false negatives (lines 423-426):
The patterns
/>\s*[/~]/and/>\s*\w+\.\w+/only match redirects to paths starting with/,~, or file extensions. This misses:> foo/bar.txt> output2>,2>&12. Command substitution variants:
Only checks
$(...)and backticks, missing:<< EOF<(cmd),>(cmd)3. Command chaining false positives (lines 419-420):
The
&&and||patterns check for common shell commands after the operators, but this creates maintainability risk and can be bypassed with less common commands or aliases.Severity Rationale
Recommendation
Strengthen redirection detection to catch all variants:
Add heredoc and process substitution detection:
Consider a positive validation approach (allowlist safe patterns) rather than blocklist
Add comprehensive test coverage for edge cases in
cli/src/__tests__/security.test.tsAttack Vector
An attacker could craft a prompt like:
While this specific example might be caught by other validation layers, the gaps in pattern matching create risk.
Filed by: security/code-scanner