Skip to content

Fix shell injection vulnerability in ShortcutsCommandRunner #691

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
zenangst merged 5 commits into from
Jan 11, 2026
Merged

Fix shell injection vulnerability in ShortcutsCommandRunner #691

zenangst merged 5 commits into from
Jan 11, 2026

Conversation

Copy link
Contributor

Copilot AI commented Jan 10, 2026
edited
Loading

The ShortcutsCommandRunner was vulnerable to shell command injection through unescaped shortcutIdentifier values in shell scripts. A malicious identifier like Shortcut"; rm -rf ~; echo "x" would execute arbitrary commands.

Changes

  • Replace shell script execution with direct Process invocation in ShortcutsCommandRunner.run()

    • Pass shortcutIdentifier as a separate argument array instead of interpolating into a shell string
    • Remove dependency on ScriptCommandRunner

  • Apply same fix to CommandRunner.reveal() for the shortcuts view command

Before

let source = """
shortcuts run "\(command.shortcutIdentifier)"
"""
let shellScript = ScriptCommand(...)
return try await commandRunner.run(shellScript, ...)

After

let process = Process()
process.executableURL = URL(filePath: "/usr/bin/shortcuts")
process.arguments = ["run", command.shortcutIdentifier]
try process.run()

This prevents shell interpretation of special characters in user-controlled input from configuration files.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Base automatically changed from swift/format to main January 10, 2026 13:35
Copilot AI mentioned this pull request Jan 10, 2026
Merged
@zenangst
Fix shell injection vulnerability in ShortcutsCommandRunner
b779c31 
Replace shell script execution with direct Process invocation, passing
shortcutIdentifier as a separate argument to prevent command injection.
This fixes the security vulnerability where malicious shortcut names
could execute arbitrary shell commands.

Co-authored-by: zenangst <[email protected]>
Copilot AI changed the title [WIP] WIP: Address feedback on code formatting in swiftformat PR Fix shell injection vulnerability in ShortcutsCommandRunner Jan 10, 2026
Copilot AI requested a review from zenangst January 10, 2026 13:41
@zenangst
Merge branch 'main' into copilot/sub-pr-690
a9fcd3e 
Signed-off-by: Christoffer Winterkvist <[email protected]>
@zenangst zenangst marked this pull request as ready for review January 10, 2026 19:19
@github-actions
Copy link

github-actions bot commented Jan 10, 2026

Test: succeeded ✅
https://github.com/zenangst/KeyboardCowboy/actions/runs/20883160741

@Copilot

@zenangst zenangst merged commit 46422ef into main Jan 11, 2026
1 check passed
@zenangst zenangst deleted the copilot/sub-pr-690 branch January 11, 2026 15:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vadymmarkov vadymmarkov Awaiting requested review from vadymmarkov vadymmarkov is a code owner

@pkrll pkrll Awaiting requested review from pkrll pkrll is a code owner

1 more reviewer

@zenangst zenangst zenangst approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@zenangst zenangst

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@zenangst