🐞 Loop enables external commands to be ran

[aaaAlexanderaaa]

I noticed the following 2 actions are effectively local RCE interfaces if any other app (or a clicked link) triggers the URL.
They’re used only if something opens a loop://shell/... or loop://applescript/... URL; there’s no other codepath in the repo that calls them.

You can verify the risk by loop://shell/open%20-a%20Calculator or loop://applescript/display%20dialog%20%22Loop%20PoC%22

 3. Shell Commands:
    Format: loop://shell/<command>
    Examples:
    - loop://shell/open%20-a%20Loop    (Activate Loop app)
    - loop://shell/osascript%20-e%20%22tell%20application%20%5C%22Loop%5C%22%20to%20activate%22
    Note: Commands must be URL encoded

 4. AppleScript Commands:
    Format: loop://applescript/<script>
    Examples:
    - loop://applescript/tell%20application%20%22Loop%22%20to%20activate
    Note: Scripts must be URL encoded

[SenpaiHunters]

Wow, what a very good catch! I initially added them for entire support and was going to add security and other things to it, but I never got around to it and ended up forgetting. Because I was running inside a terminal, I never noticed it, but you need to have a different encoding.

open "loop://shell/open%20-a%20Calculator"
open "loop://applescript/display%20dialog%20%22Loop%20PoC%22"

Thank you for bringing this to our attention! The only change I request is to remove the extra information added to the README; it is not needed, as we already have https://github.com/MrKai77/Loop/blob/develop/CONTRIBUTING.md.

[aaaAlexanderaaa]

Okey, I was planning to push a documentation update to my own fork, but I accidentally synced it to the upstream PR. I sincerely apologize for the trouble caused by my inexperience. It has now been reverted to a clean commit.

[SenpaiHunters]

No worries, thank you for bringing this up! I'm shocked; I've never actually looked at or realized this when coding it that long ago.

[aaaAlexanderaaa]

Hmm, it thanks to Codex. I'm a loyal user of Loop, and it has always worked perfectly on my computer.

However, I recently received an update notification.
Before updating, I had it check for any security issues, and it found this for me.

[SenpaiHunters]

I noticed you used AI due to your README addition. As it was only a removal, it wasn't an extensive review. Although we don't disagree with AI use in coding, we may soon require all commits to declare AI use in all PRs. However, I still thank you for bring it up.

[aaaAlexanderaaa]

hmm, and I noticed the project currently does not have a PR template configured, covering aspects such as whether AI was used or if the build succeeded locally or passed tests.

You can refer to Creating a pull request template for your repository.