Skip to content

fix: prevent heredoc command injection in _check_bash_command#293

Open
shunfeng8421 wants to merge 1 commit into
SWE-agent:mainfrom
shunfeng8421:fix/heredoc-command-injection
Open

fix: prevent heredoc command injection in _check_bash_command#293
shunfeng8421 wants to merge 1 commit into
SWE-agent:mainfrom
shunfeng8421:fix/heredoc-command-injection

Conversation

@shunfeng8421

Copy link
Copy Markdown

Summary

Fix command injection vulnerability in _check_bash_command() via heredoc delimiter bypass.

Vulnerability

The function used shell=True with a heredoc to pass bash commands to bash -n. The heredoc delimiter SOUNIQUEEOF was hardcoded. An attacker controlling the command string could inject this delimiter to break out of the heredoc and execute arbitrary shell commands via shell=True.

Fix

Replace subprocess.run(cmd, shell=True) with subprocess.run(["bash", "-n"], input=command), which passes the command via stdin pipe instead of heredoc. Eliminates shell=True and prevents delimiter injection.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant