apunkt/rowboat
1
0
Fork 0
mirror of https://github.com/rowboatlabs/rowboat.git synced 2026-05-05 13:22:38 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #352 from RinZ27/security-fixes-path-traversal-cmd-injection

Browse source 
fix path traversal and CLI command validation
This commit is contained in:
Ramnique Singh 2026-02-21 06:47:21 +05:30 committed by GitHub
commit 99e219b8a0
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
apps/x/packages/core/src/application/lib/command-executor.ts
View file

@ -3,7 +3,7 @@ import { promisify } from 'util';
import { getSecurityAllowList } from '../../config/security.js';
const execPromise = promisify(exec);
const COMMAND_SPLIT_REGEX = /(?:\|\||&&|;|\||\n)/;
const COMMAND_SPLIT_REGEX = /(?:\|\||&&|;|\||\n|`|\$\(|\))/;
const ENV_ASSIGNMENT_REGEX = /^[A-Za-z_][A-Za-z0-9_]*=.*/;
const WRAPPER_COMMANDS = new Set(['sudo', 'env', 'time', 'command']);