π‘οΈ Sentinel: [HIGH] Prevent Windows shell injection via % and ^#811
π‘οΈ Sentinel: [HIGH] Prevent Windows shell injection via % and ^#811
Conversation
This change hardens the `validate_command_args` function to reject `%` and `^` characters. On Windows `cmd.exe`, `%VAR%` is expanded even inside double quotes in some contexts, leading to potential information disclosure. `^` is the escape character in `cmd.exe` and can be used for obfuscation. By blocking these characters in modules that use validation (like `command` module), we prevent these injection vectors. - Removed `%` from the safe character whitelist. - Added `%` and `^` to the dangerous patterns blacklist. - Added regression tests in `tests/security_validate_args.rs`. Co-authored-by: dolagoartur <146357947+dolagoartur@users.noreply.github.com>
|
π Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a π emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
π‘ Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 6249c42d2b
βΉοΈ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with π.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| ("%", "variable expansion %"), | ||
| ("^", "cmd.exe escape character"), |
There was a problem hiding this comment.
This change rejects % and ^ in validate_command_args for every platform, but the risk described in the commit is specific to cmd.exe; CommandModule::validate_params applies this validator before shell/OS handling, so valid non-Windows commands like date +%Y or regex patterns using ^ now fail validation and regress existing playbooks. Consider gating these checks to Windows/cmd contexts instead of globally banning both characters.
Useful? React with πΒ / π.
1 participant
π‘οΈ Sentinel: [HIGH] Fix Windows shell injection risks
π¨ Severity: HIGH
π‘ Vulnerability: Windows
cmd.exeallows environment variable expansion (%VAR%) and escape characters (^) even in contexts where arguments are quoted, potentially leading to information disclosure or command obfuscation. TheCommandModuleand other modules rely onvalidate_command_argsto ensure safety, but it previously allowed%and did not block^.π― Impact: An attacker controlling arguments to a command (e.g., via
cmdparameter in a playbook) could read environment variables or bypass filters using^escaping on Windows targets.π§ Fix: Updated
validate_command_argsinsrc/modules/mod.rsto explicitly reject strings containing%or^.β Verification: Added
tests/security_validate_args.rswhich confirms thatvalidate_command_argsnow returns an error for inputs containing these characters. Rancargo test --test security_validate_argsto verify.PR created automatically by Jules for task 4451130124687730839 started by @dolagoartur