mirror of
https://github.com/rowboatlabs/rowboat.git
synced 2026-06-27 20:29:44 +02:00
a2fb45a08f
extractCommandNames() splits on shell separators to enumerate the
commands an LLM-generated shell string will invoke, then the allowlist
gate isBlocked() decides whether to ask the user for permission.
The split regex was missing single `&` (background separator), so:
isBlocked('echo hi & rm -rf $HOME', new Set(['echo'])) // false
The parser saw only `echo`, but bash actually runs `echo hi` in the
background then immediately runs `rm -rf $HOME` — without prompting.
The cli copy of the parser was also missing backtick, `$(`, `(`, and
`)`, so command substitution and subshells (`echo \`rm /x\``,
`echo $(rm /x)`, `(rm /x)`) bypassed it the same way.
Fix: add `&` to both regexes (ordered after `&&` so leftmost-longest
match still picks `&&` first), and bring the cli regex up to parity
with the apps/x version.
Severity: high. CWE-78 (OS Command Injection), CWE-863 (incorrect
authorization).
Detected by Aeon + semgrep + manual parser review.
|
||
|---|---|---|
| .. | ||
| cli | ||
| docs | ||
| experimental | ||
| python-sdk | ||
| rowboat | ||
| rowboatx | ||
| x | ||