diff --git a/.jules/sentinel.md b/.jules/sentinel.md new file mode 100644 index 0000000..167d328 --- /dev/null +++ b/.jules/sentinel.md @@ -0,0 +1,4 @@ +## 2024-04-08 - Prevent command injection by bypassing shell wrapper +**Vulnerability:** Command injection risk via string interpolation into a shell command wrapper. +**Learning:** `toolExists` in `CacheCategory.swift` used `shell("/usr/bin/which \(tool)")`, executing via `/bin/bash -c`. Although the input was currently hardcoded, this pattern creates a severe vulnerability if dynamic inputs are ever passed. +**Prevention:** Always use direct execution via `Process()` and pass inputs inside `process.arguments` instead of interpolating strings into a shell command. diff --git a/Sources/Cacheout/Models/CacheCategory.swift b/Sources/Cacheout/Models/CacheCategory.swift index 7b3d942..d8f3194 100644 --- a/Sources/Cacheout/Models/CacheCategory.swift +++ b/Sources/Cacheout/Models/CacheCategory.swift @@ -186,8 +186,28 @@ struct CacheCategory: Identifiable, Hashable { } private func toolExists(_ tool: String) -> Bool { - let result = shell("/usr/bin/which \(tool)") - return result != nil && !result!.isEmpty + let process = Process() + let pipe = Pipe() + + process.executableURL = URL(fileURLWithPath: "/usr/bin/which") + process.arguments = [tool] + process.standardOutput = pipe + process.standardError = FileHandle.nullDevice + process.environment = [ + "PATH": "/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin", + "HOME": FileManager.default.homeDirectoryForCurrentUser.path + ] + + do { + try process.run() + let data = pipe.fileHandleForReading.readDataToEndOfFile() + process.waitUntilExit() + guard process.terminationStatus == 0 else { return false } + let output = String(data: data, encoding: .utf8)?.trimmingCharacters(in: .whitespacesAndNewlines) + return output != nil && !output!.isEmpty + } catch { + return false + } } private func runProbe(_ command: String) -> String? {