From 5fa748235e60085161af23acc4f20f35829e4d75 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Wed, 8 Apr 2026 07:24:57 +0000
Subject: [PATCH] Refactor toolExists to use direct Process execution

Migrates away from using `shell("/usr/bin/which \(tool)")` via
`/bin/bash -c` which passes parameters via string interpolation.
Instead, it now directly executes `/usr/bin/which` using `Process()`
with the tool safely supplied via `process.arguments = [tool]`.
This eliminates a command injection risk as a defense-in-depth measure.

Co-authored-by: acebytes <2820910+acebytes@users.noreply.github.com>
---
 .jules/sentinel.md                          |  4 ++++
 Sources/Cacheout/Models/CacheCategory.swift | 24 +++++++++++++++++++--
 2 files changed, 26 insertions(+), 2 deletions(-)
 create mode 100644 .jules/sentinel.md

diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..167d328
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2024-04-08 - Prevent command injection by bypassing shell wrapper
+**Vulnerability:** Command injection risk via string interpolation into a shell command wrapper.
+**Learning:** `toolExists` in `CacheCategory.swift` used `shell("/usr/bin/which \(tool)")`, executing via `/bin/bash -c`. Although the input was currently hardcoded, this pattern creates a severe vulnerability if dynamic inputs are ever passed.
+**Prevention:** Always use direct execution via `Process()` and pass inputs inside `process.arguments` instead of interpolating strings into a shell command.
diff --git a/Sources/Cacheout/Models/CacheCategory.swift b/Sources/Cacheout/Models/CacheCategory.swift
index 7b3d942..d8f3194 100644
--- a/Sources/Cacheout/Models/CacheCategory.swift
+++ b/Sources/Cacheout/Models/CacheCategory.swift
@@ -186,8 +186,28 @@ struct CacheCategory: Identifiable, Hashable {
     }
 
     private func toolExists(_ tool: String) -> Bool {
-        let result = shell("/usr/bin/which \(tool)")
-        return result != nil && !result!.isEmpty
+        let process = Process()
+        let pipe = Pipe()
+
+        process.executableURL = URL(fileURLWithPath: "/usr/bin/which")
+        process.arguments = [tool]
+        process.standardOutput = pipe
+        process.standardError = FileHandle.nullDevice
+        process.environment = [
+            "PATH": "/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin",
+            "HOME": FileManager.default.homeDirectoryForCurrentUser.path
+        ]
+
+        do {
+            try process.run()
+            let data = pipe.fileHandleForReading.readDataToEndOfFile()
+            process.waitUntilExit()
+            guard process.terminationStatus == 0 else { return false }
+            let output = String(data: data, encoding: .utf8)?.trimmingCharacters(in: .whitespacesAndNewlines)
+            return output != nil && !output!.isEmpty
+        } catch {
+            return false
+        }
     }
 
     private func runProbe(_ command: String) -> String? {