mirror of
https://github.com/rowboatlabs/rowboat.git
synced 2026-07-06 20:42:15 +02:00
Merge pull request #550 from aaronjmars/security/command-executor-ampersand-bypass
fix(security): close & (background) command-executor allowlist bypass
This commit is contained in:
commit
6373238ad8
2 changed files with 12 additions and 2 deletions
|
|
@ -5,7 +5,11 @@ import { getExecutionShell } from '../assistant/runtime-context.js';
|
|||
|
||||
const execPromise = promisify(exec);
|
||||
|
||||
const COMMAND_SPLIT_REGEX = /(?:\|\||&&|;|\||\n|`|\$\(|\(|\))/;
|
||||
// Order matters: longer separators (`||`, `&&`) must precede their single-char
|
||||
// prefixes (`|`, `&`) so the leftmost-longest match consumes the right token.
|
||||
// Missing `&` here let `echo hi & rm -rf $HOME` slip past isBlocked() — the
|
||||
// parser saw only `echo`, but the shell ran both commands.
|
||||
const COMMAND_SPLIT_REGEX = /(?:\|\||&&|&|;|\||\n|`|\$\(|\(|\))/;
|
||||
const ENV_ASSIGNMENT_REGEX = /^[A-Za-z_][A-Za-z0-9_]*=.*/;
|
||||
const WRAPPER_COMMANDS = new Set(['sudo', 'env', 'time', 'command']);
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue