Refactor process launching to eliminate PowerShell argument injection risks #10
Description
Issue 1: [Security] Refactor build_launch_process to use direct subprocess execution instead of PowerShell
Title: Refactor process launching to eliminate PowerShell argument injection risks
Description:
Currently, in Jarvis/core/powershell_safe.py, the build_launch_process method constructs a PowerShell script string to launch applications using Start-Process:
args_str = ", ".join(sanitize_powershell_arg(str(arg)) for arg in args)
ps_script = (
f"$exe = {{sanitize_powershell_arg(exe_path)}}; "
f"$args = @({{args_str}}); "
"Start-Process -FilePath $exe -ArgumentList $args"
)The Vulnerability / Issue:
While there is a sanitize_powershell_arg function in place, dynamically building PowerShell script strings with user-controlled arguments is inherently fragile and prone to injection attacks (e.g., if a sanitizer misses a specific escape sequence or encoding trick).
Proposed Solution:
Instead of wrapping the execution in a PowerShell Start-Process command, application launching should directly use Python's subprocess.run() or subprocess.Popen() with an array of arguments (e.g., subprocess.run([exe_path] + args)). This completely sidesteps the shell/PowerShell interpreter, mitigating argument injection vulnerabilities by passing arguments directly to the OS process execution API.
Acceptance Criteria:
- Modify
build_launch_process(or the caller of it) to execute the target executable directly via Python'ssubprocessmodule. - Ensure that existing application launches (like opening the browser or notepad) still function correctly without
Start-Process. - Add test coverage verifying that arguments with special characters are safely passed to the executable.