From dc42bceb773514740015b4b0295bbe419458ef5f Mon Sep 17 00:00:00 2001
From: RinZ27 <222222878+RinZ27@users.noreply.github.com>
Date: Fri, 20 Feb 2026 08:42:29 +0700
Subject: [PATCH] security: fix command injection bypass in apps/x

---
 apps/x/packages/core/src/application/lib/command-executor.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/x/packages/core/src/application/lib/command-executor.ts b/apps/x/packages/core/src/application/lib/command-executor.ts
index e865e98d..d16806b4 100644
--- a/apps/x/packages/core/src/application/lib/command-executor.ts
+++ b/apps/x/packages/core/src/application/lib/command-executor.ts
@@ -3,7 +3,7 @@ import { promisify } from 'util';
 import { getSecurityAllowList } from '../../config/security.js';
 
 const execPromise = promisify(exec);
-const COMMAND_SPLIT_REGEX = /(?:\|\||&&|;|\||\n)/;
+const COMMAND_SPLIT_REGEX = /(?:\|\||&&|;|\||\n|`|\$\(|\))/;
 const ENV_ASSIGNMENT_REGEX = /^[A-Za-z_][A-Za-z0-9_]*=.*/;
 const WRAPPER_COMMANDS = new Set(['sudo', 'env', 'time', 'command']);