cloudposse · Copilot · Apr 1, 2026 · Apr 1, 2026 · Apr 1, 2026 · Apr 1, 2026
@@ -0,0 +1,187 @@
+# AI Tool `execute_atmos_command` Accepts Unvalidated Subcommand Arguments (CWE-88)
+
+**Date:** 2026-04-01
+
+**Vulnerability Class:** CWE-88 — Improper Neutralization of Argument Delimiters in a Command
+
+**Severity:** High
+
+**Affected File:** `pkg/ai/tools/atmos/execute_command.go`, lines 70–90 (prior to fix)
+
+---
+
+## Issue Description
+
+The `execute_atmos_command` AI tool split the incoming `command` parameter with
+`strings.Fields()` and forwarded the resulting tokens directly to the Atmos binary
+as arguments, with no validation of which subcommands or flags were being requested.
+
+An AI agent under a prompt-injection or LLM-jacking attack could be induced to run
+state-modifying Terraform operations such as:
+
+```
+terraform apply vpc -s prod -var-file=/etc/passwd
+terraform destroy vpc -s prod --auto-approve
+terraform state rm module.vpc
+```
+
+Because the default permission mode was `ModeAllow` (i.e. no user confirmation), these
+operations could be triggered automatically without any human gate.
+
+### Attack Scenario
+
+1. An adversary crafts a prompt that instructs the LLM to call
+   `execute_atmos_command` with `terraform apply vpc -s prod`.
+2. Because no subcommand validation exists, the tool passes the args directly to the
+   Atmos binary.
+3. With `ModeAllow`, the permission system auto-approves the call.
+4. Production infrastructure is modified without operator awareness.
+
+---
+
+## Root Cause Analysis
+
+### No Subcommand Allowlist
+
+`Execute()` called `strings.Fields(command)` to split the user-controlled string into
+args, then passed the result verbatim to `exec.CommandContext`. There was no inspection
+of `args[0]` or `args[1]` to determine whether the requested operation was read-only or
+state-modifying.
+
+```go
+// Before fix — unsafe:
+args := strings.Fields(command)
+cmd := exec.CommandContext(ctx, t.binaryPath, args...)
+```
+
+### No Permission-Mode Gate at the Tool Layer
+
+The `execute_atmos_command` tool delegated all access control to the upstream permission
+system (`pkg/ai/tools/permission`). When that system was configured to `ModeAllow`
+(auto-approve), any command — including destructive ones — could run without prompting
+the user.
+
+---
+
+## Fix
+
+### 1. Subcommand Blocklists
+
+Three static blocklists were added covering all Terraform operations that modify
+infrastructure or workspace state:
+
+| Blocklist | Entries |
+|---|---|
+| `destructiveTerraformSubcmds` | `apply`, `destroy`, `import`, `force-unlock` |
+| `destructiveTerraformStateSubcmds` | `state rm`, `state mv`, `state push` |
+| `destructiveTerraformWorkspaceSubcmds` | `workspace new`, `workspace delete` |
+
+### 2. `isDestructiveAtmosCommand()` Helper
+
+A new helper function inspects the first 1–3 tokens of the parsed args to determine
+whether the requested operation is state-modifying. Matching is case-insensitive
+(`strings.ToLower`) so `TERRAFORM APPLY` is treated identically to `terraform apply`.
+
+```go
+func isDestructiveAtmosCommand(args []string) bool {
+    if len(args) < 2 || strings.ToLower(args[0]) != "terraform" {
+        return false
+    }
+    subCmd := strings.ToLower(args[1])
+    if destructiveTerraformSubcmds[subCmd] { return true }
+    if subCmd == "state" && len(args) >= 3 {
+        return destructiveTerraformStateSubcmds[strings.ToLower(args[2])]
+    }
+    if subCmd == "workspace" && len(args) >= 3 {
+        return destructiveTerraformWorkspaceSubcmds[strings.ToLower(args[2])]
+    }
+    return false
+}
+```
+
+### 3. Permission-Mode Gate in `Execute()`
+
+The `ExecuteAtmosCommandTool` struct gains a `permissionMode` field (default:
+`permission.ModePrompt`, the safest setting). Before spawning any subprocess, `Execute()`
+checks whether the requested command is destructive and whether the current mode permits
+it:
+
+- **`ModeAllow`, `ModeDeny`, `ModeYOLO`** — state-modifying commands are rejected
+  immediately with `ErrAICommandDestructive`, before any subprocess is created.
+- **`ModePrompt`** — state-modifying commands are forwarded to the upstream permission
+  system, which presents an explicit confirmation prompt to the operator. The subprocess
+  is only created if the operator approves.
+
+```go
+if isDestructiveAtmosCommand(args) {
+    if t.permissionMode != permission.ModePrompt {
+        // Blocked — no subprocess created.
+        return &tools.Result{
+            Success: false,
+            Error:   fmt.Errorf("%w: atmos %s", errUtils.ErrAICommandDestructive, command),
+        }, nil
+    }
+    // ModePrompt: forwarded to upstream permission checker for user confirmation.
+    log.Warnf("Destructive Atmos command will require user confirmation: atmos %s", command)
+}
+```
+
+### 4. New Constructor and Safe Default
+
+`NewExecuteAtmosCommandToolWithPermission(cfg, mode)` allows callers to configure the
+permission mode explicitly. The existing `NewExecuteAtmosCommandTool(cfg)` constructor
+now defaults to `ModePrompt` (previously there was no mode field at all).
+
+---
+
+## Files Modified
+
+| File | Change |
+|---|---|
+| `errors/errors.go` | Added `ErrAICommandDestructive` sentinel error |
+| `pkg/ai/tools/atmos/execute_command.go` | Added blocklists, `isDestructiveAtmosCommand()`, `permissionMode` field, gate in `Execute()`, new constructor, updated description |
+| `pkg/ai/tools/atmos/execute_command_test.go` | Added 87 test cases covering classification, blocking, pass-through, and safe-command scenarios |
+
+---
+
+## Test Coverage
+
+### Classification — `TestIsDestructiveAtmosCommand` (28 cases)
+
+Covers all blocked subcommands, safe read-only subcommands, case-insensitive matching,
+and edge cases (empty args, single token, compound subcommands without a secondary token).
+
+### Blocking — `TestExecuteAtmosCommandTool_DestructiveBlocked` (27 cases)
+
+Verifies that each of the 9 destructive command patterns is blocked across all three
+non-prompt modes (`ModeAllow`, `ModeDeny`, `ModeYOLO`). Confirms that:
+
+- `result.Success` is `false`.
+- `result.Error` contains `"modifies state"`.
+- The subprocess binary is never reached (the test binary is set as `binaryPath` but the
+  validator fires before any invocation).
+
+### Pass-Through — `TestExecuteAtmosCommandTool_DestructiveAllowedInPromptMode` (1 case)
+
+Verifies that `terraform apply` is **not** blocked by the validator in `ModePrompt`,
+confirming the command reaches the execution stage (where the upstream permission system
+takes over for user confirmation).
+
+### Safe Commands — `TestExecuteAtmosCommandTool_SafeCommandsAlwaysAllowed` (32 cases)
+
+Verifies that read-only commands (`terraform plan`, `terraform show`, `terraform output`,
+`terraform validate`, `terraform state list`, `terraform workspace list`, `describe stacks`,
+`list stacks`) are never blocked by the validator in any permission mode.
+
+---
+
+## Backward Compatibility
+
+- `NewExecuteAtmosCommandTool(cfg)` now defaults to `ModePrompt` instead of having no
+  mode field. Callers that previously relied on `ModeAllow` to auto-execute destructive
+  commands without confirmation will need to switch to
+  `NewExecuteAtmosCommandToolWithPermission(cfg, permission.ModePrompt)` and accept the
+  user confirmation prompt — or reconsider whether such automation is appropriate.
+- Safe (read-only) commands are unaffected in all modes.
+- The `execute_atmos_command` tool description now documents the restriction and the
+  confirmation flow so AI agents have accurate information about what is permitted.
@@ -981,6 +981,7 @@ var (
 	ErrAICommandEmpty               = errors.New("command cannot be empty")
 	ErrAICommandBlacklisted         = errors.New("command is blacklisted for security reasons")
 	ErrAICommandRmNotAllowed        = errors.New("rm with recursive or force flags is not allowed")
+	ErrAICommandDestructive         = errors.New("command modifies state and is not permitted in the current permission mode; use ModePrompt with explicit user confirmation")
 	ErrAILSPNotEnabled              = errors.New("LSP is not enabled")
 	ErrAIFileDoesNotExist           = errors.New("file does not exist")
 	ErrAIConfigNil                  = errors.New("cannot switch provider: atmosConfig is nil")

@@ -9,14 +9,38 @@ import (
 
 	errUtils "github.com/cloudposse/atmos/errors"
 	"github.com/cloudposse/atmos/pkg/ai/tools"
+	"github.com/cloudposse/atmos/pkg/ai/tools/permission"
 	log "github.com/cloudposse/atmos/pkg/logger"
 	"github.com/cloudposse/atmos/pkg/schema"
 )
 
+// destructiveTerraformSubcmds is the set of Terraform subcommands that modify infrastructure state.
+// These operations are never auto-executed; they require ModePrompt with explicit user confirmation.
+var destructiveTerraformSubcmds = map[string]bool{
+	"apply":        true,
+	"destroy":      true,
+	"import":       true,
+	"force-unlock": true,
+}
+
+// destructiveTerraformStateSubcmds is the set of "terraform state" subcommands that modify state.
+var destructiveTerraformStateSubcmds = map[string]bool{
+	"rm":   true,
+	"mv":   true,
+	"push": true,
+}
+
+// destructiveTerraformWorkspaceSubcmds is the set of "terraform workspace" subcommands that modify state.
+var destructiveTerraformWorkspaceSubcmds = map[string]bool{
+	"new":    true,
+	"delete": true,
+}
+
 // ExecuteAtmosCommandTool executes any Atmos CLI command.
 type ExecuteAtmosCommandTool struct {
-	atmosConfig *schema.AtmosConfiguration
-	binaryPath  string
+	atmosConfig    *schema.AtmosConfiguration
+	binaryPath     string
+	permissionMode permission.Mode
 }
 
 // NewExecuteAtmosCommandTool creates a new Atmos command execution tool.
@@ -28,33 +52,76 @@ func NewExecuteAtmosCommandTool(atmosConfig *schema.AtmosConfiguration) *Execute
 	}
 
 	return &ExecuteAtmosCommandTool{
-		atmosConfig: atmosConfig,
-		binaryPath:  binary,
+		atmosConfig:    atmosConfig,
+		binaryPath:     binary,
+		permissionMode: permission.ModePrompt, // default to safest mode
 	}
 }
 
+// NewExecuteAtmosCommandToolWithPermission creates a new Atmos command execution tool with explicit permission mode.
+func NewExecuteAtmosCommandToolWithPermission(atmosConfig *schema.AtmosConfiguration, mode permission.Mode) *ExecuteAtmosCommandTool {
+	t := NewExecuteAtmosCommandTool(atmosConfig)
+	t.permissionMode = mode
+	return t
+}
+
 // Name returns the tool name.
 func (t *ExecuteAtmosCommandTool) Name() string {
 	return "execute_atmos_command"
 }
 
 // Description returns the tool description.
 func (t *ExecuteAtmosCommandTool) Description() string {
-	return "LAST RESORT: Execute an Atmos CLI command as a subprocess. Only use this for commands that do NOT have a dedicated tool. Do NOT use this for: listing stacks (use atmos_list_stacks), describing components (use atmos_describe_component), describing affected (use atmos_describe_affected), or validating stacks (use atmos_validate_stacks). Use this only for commands like 'terraform plan', 'terraform apply', 'workflow', etc."
+	return "LAST RESORT: Execute an Atmos CLI command as a subprocess. " +
+		"Only use this for commands that do NOT have a dedicated tool. " +
+		"Do NOT use this for: listing stacks (use atmos_list_stacks), describing components (use atmos_describe_component), " +
+		"describing affected (use atmos_describe_affected), or validating stacks (use atmos_validate_stacks). " +
+		"Safe read-only commands (terraform plan, show, output, validate, state list, workspace list, describe, list) are always allowed. " +
+		"State-modifying operations (terraform apply, destroy, import, force-unlock, state rm/mv/push, workspace new/delete) " +
+		"require ModePrompt for user confirmation; all other modes block them at the tool layer."
 }
 
 // Parameters returns the tool parameters.
 func (t *ExecuteAtmosCommandTool) Parameters() []tools.Parameter {
 	return []tools.Parameter{
 		{
 			Name:        "command",
-			Description: "The Atmos command to execute (without the 'atmos' prefix). Examples: 'terraform plan vpc -s prod-us-east-1', 'terraform apply vpc -s prod-us-east-1', 'workflow deploy'.",
+			Description: "The Atmos command to execute (without the 'atmos' prefix). Examples: 'terraform plan vpc -s prod-us-east-1', 'terraform show vpc -s prod-us-east-1', 'workflow deploy'. State-modifying commands (apply, destroy, import, etc.) require ModePrompt permission mode.",
 			Type:        tools.ParamTypeString,
 			Required:    true,
 		},
 	}
 }
 
+// isDestructiveAtmosCommand reports whether args represent a state-modifying Terraform operation.
+func isDestructiveAtmosCommand(args []string) bool {
+	if len(args) < 2 {
+		return false
+	}
+
+	if strings.ToLower(args[0]) != "terraform" {
+		return false
+	}
+
+	subCmd := strings.ToLower(args[1])
+
+	if destructiveTerraformSubcmds[subCmd] {
+		return true
+	}
+
+	if subCmd == "state" && len(args) >= 3 {
+		stateSubCmd := strings.ToLower(args[2])
+		return destructiveTerraformStateSubcmds[stateSubCmd]
+	}
+
+	if subCmd == "workspace" && len(args) >= 3 {
+		wsSubCmd := strings.ToLower(args[2])
+		return destructiveTerraformWorkspaceSubcmds[wsSubCmd]
+	}
+
+	return false
+}
+
 // Execute runs the Atmos command and returns the output.
 func (t *ExecuteAtmosCommandTool) Execute(ctx context.Context, params map[string]interface{}) (*tools.Result, error) {
 	// Extract command parameter.
@@ -77,6 +144,20 @@ func (t *ExecuteAtmosCommandTool) Execute(ctx context.Context, params map[string
 		}, nil
 	}
 
+	// Validate subcommand: block state-modifying operations unless the permission mode
+	// explicitly requires user confirmation (ModePrompt). This prevents prompt-injection
+	// and LLM-jacking attacks from triggering destructive operations automatically.
+	if isDestructiveAtmosCommand(args) {
+		if t.permissionMode != permission.ModePrompt {
+			log.Warnf("Blocked destructive Atmos command in non-interactive mode: atmos %s", command)
+			return &tools.Result{
+				Success: false,
+				Error:   fmt.Errorf("%w: atmos %s", errUtils.ErrAICommandDestructive, command),
+			}, nil
+		}
+		log.Warnf("Destructive Atmos command will require user confirmation: atmos %s", command)
+	}
+
 	// Create the command using the resolved binary path.
 	cmd := exec.CommandContext(ctx, t.binaryPath, args...) //nolint:gosec // binaryPath is resolved from os.Executable() at construction time, not user input.
 	cmd.Dir = t.atmosConfig.BasePath
@@ -108,7 +189,6 @@ func (t *ExecuteAtmosCommandTool) RequiresPermission() bool {
 
 // IsRestricted returns true if this tool is always restricted.
 func (t *ExecuteAtmosCommandTool) IsRestricted() bool {
-	// Check if this is a destructive command.
-	// Apply, destroy, and workflow commands are always restricted.
-	return false // Permission system will handle per-command restrictions.
+	// Permission system will handle per-command restrictions.
+	return false
 }