diff --git a/.jules/sentinel.md b/.jules/sentinel.md new file mode 100644 index 0000000..572ba5f --- /dev/null +++ b/.jules/sentinel.md @@ -0,0 +1,4 @@ +## 2024-11-20 - Command Injection in Tool Validation +**Vulnerability:** Found a command injection vulnerability in `toolExists` within `Sources/Cacheout/Models/CacheCategory.swift` where user-controlled input (`tool`) was interpolated into a shell wrapper: `shell("/usr/bin/which \(tool)")`. +**Learning:** String interpolation in shell commands (`bash -c`) evaluates variables dynamically in the shell, opening severe command injection vectors if the input contains spaces, pipelines, or glob characters. +**Prevention:** Always avoid shell wrappers (`bash -c`) when possible. Use direct `Process` execution (e.g., `/usr/bin/env` with `arguments = ["which", tool]`) where dynamic arguments are passed safely as an array, entirely bypassing the shell's evaluation step. diff --git a/Sources/Cacheout/Models/CacheCategory.swift b/Sources/Cacheout/Models/CacheCategory.swift index 7b3d942..ba20985 100644 --- a/Sources/Cacheout/Models/CacheCategory.swift +++ b/Sources/Cacheout/Models/CacheCategory.swift @@ -186,8 +186,23 @@ struct CacheCategory: Identifiable, Hashable { } private func toolExists(_ tool: String) -> Bool { - let result = shell("/usr/bin/which \(tool)") - return result != nil && !result!.isEmpty + let process = Process() + process.executableURL = URL(fileURLWithPath: "/usr/bin/env") + process.arguments = ["which", tool] + process.standardOutput = FileHandle.nullDevice + process.standardError = FileHandle.nullDevice + process.environment = [ + "PATH": "/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin", + "HOME": FileManager.default.homeDirectoryForCurrentUser.path + ] + + do { + try process.run() + process.waitUntilExit() + return process.terminationStatus == 0 + } catch { + return false + } } private func runProbe(_ command: String) -> String? {