fix(init): narrow command validation to actual shell injection vectors#697
Merged
fix(init): narrow command validation to actual shell injection vectors#697
Conversation
Commands run via spawn (no shell), so characters like quotes, braces, globs, parentheses, and bare $ have no effect. Blocking them prevented legitimate package specifiers like `pip install sentry-sdk[django]` wrapped in quotes, or version ranges with `*`. Keep blocking actual injection patterns: chaining (;, &&, ||), piping (|), command substitution (`, $(), redirection (>, <), background (&), and control chars (\n, \r). Made-with: Cursor
Contributor
Semver Impact of This PR🟢 Patch (bug fixes) 📋 Changelog PreviewThis is how your changes will appear in the changelog. New Features ✨
Bug Fixes 🐛
Internal Changes 🔧
🤖 This preview updates automatically when you update the PR. |
Contributor
|
Contributor
Codecov Results 📊✅ 134 passed | Total: 134 | Pass Rate: 100% | Execution Time: 0ms 📊 Comparison with Base Branch
✨ No test changes detected All tests are passing successfully. ✅ Patch coverage is 100.00%. Project has 1482 uncovered lines. Coverage diff@@ Coverage Diff @@
## main #PR +/-##
==========================================
+ Coverage 95.43% 95.44% +0.01%
==========================================
Files 224 224 —
Lines 32538 32527 -11
Branches 0 0 —
==========================================
+ Hits 31052 31045 -7
- Misses 1486 1482 -4
- Partials 0 0 —Generated by Codecov Action |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
validateCommandblocked characters like quotes, braces, globs,$,#, parentheses, and backslashes as "defense-in-depth" shell metacharacters. Since commands run viaspawn(no shell), these characters are inert — but blocking them prevented legitimate package specifiers the server might send, such aspip install "sentry-sdk[django]"or version ranges containing*.This narrows the blocklist to patterns that represent actual shell injection: command chaining (
;,&&,||), piping (|), command substitution (`,$(), redirection (>,<), background (&), and control characters (\n,\r). Everything else is removed sincespawndoesn't interpret it.Test plan
validateCommandtests: added cases for now-allowed characters (quoted args, braces, globs,#, parentheses);,&&,||,|,`,$(,>,<,&,\n,\rlocal-ops.test.tspassMade with Cursor