Summary
Zed's terminal tool permission system can be bypassed via bash arithmetic expansion $((...)), allowing execution of arbitrary commands nested inside an allowlisted command like echo.
Details
When a user grants permission for a command (e.g., echo always allow), Zed creates a regex pattern like ^echo\b in always_allow. The regex validates the command string but does not account for bash arithmetic expansion syntax $((...)). Arbitrary commands can be embedded inside $(($(cmd))) and will be executed by the shell after passing the regex check.
PoC
- Configure Zed with:
"always_allow": [{ "pattern": "^echo\\b" }]
- Via the AI agent, ask to run specifi command, like calculate how many rows has google.com html page:
echo $(($(curl -s https://google.com | wc -l)))
- The
curl command executes despite only echo being allowlisted.
Impact
An attacker who can influence AI agent tool calls (e.g., via prompt injection in repository files) can achieve arbitrary command execution on the user's machine, bypassing the permission system entirely. This affects any Zed user relying on terminal command allowlists for security.
Note: tested on the latest PRE-release version v0.223.3
Patches
Summary
Zed's terminal tool permission system can be bypassed via bash arithmetic expansion
$((...)), allowing execution of arbitrary commands nested inside an allowlisted command likeecho.Details
When a user grants permission for a command (e.g.,
echoalways allow), Zed creates a regex pattern like^echo\binalways_allow. The regex validates the command string but does not account for bash arithmetic expansion syntax$((...)). Arbitrary commands can be embedded inside$(($(cmd)))and will be executed by the shell after passing the regex check.PoC
curlcommand executes despite onlyechobeing allowlisted.Impact
An attacker who can influence AI agent tool calls (e.g., via prompt injection in repository files) can achieve arbitrary command execution on the user's machine, bypassing the permission system entirely. This affects any Zed user relying on terminal command allowlists for security.
Note: tested on the latest PRE-release version v0.223.3
Patches