rowboat/apps/cli/src/application
aeonframework a2fb45a08f fix(security): close & (background) command-executor allowlist bypass
extractCommandNames() splits on shell separators to enumerate the
commands an LLM-generated shell string will invoke, then the allowlist
gate isBlocked() decides whether to ask the user for permission.

The split regex was missing single `&` (background separator), so:

  isBlocked('echo hi & rm -rf $HOME', new Set(['echo']))  // false

The parser saw only `echo`, but bash actually runs `echo hi` in the
background then immediately runs `rm -rf $HOME` — without prompting.

The cli copy of the parser was also missing backtick, `$(`, `(`, and
`)`, so command substitution and subshells (`echo \`rm /x\``,
`echo $(rm /x)`, `(rm /x)`) bypassed it the same way.

Fix: add `&` to both regexes (ordered after `&&` so leftmost-longest
match still picks `&&` first), and bring the cli regex up to parity
with the apps/x version.

Severity: high. CWE-78 (OS Command Injection), CWE-863 (incorrect
authorization).

Detected by Aeon + semgrep + manual parser review.
2026-05-10 19:35:03 +00:00
..
assistant Add OS-aware runtime context for cross-platform shell execution 2026-02-26 11:42:43 +05:30
lib fix(security): close & (background) command-executor allowlist bypass 2026-05-10 19:35:03 +00:00