From c32c05f1274080dffd1bbec0921fc53e4c6c1ea4 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Mon, 6 Apr 2026 06:19:36 +0000 Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[CRITICAL/H?= =?UTF-8?q?IGH]=20Fix=20command=20injection=20in=20toolExists?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replaced `shell("/usr/bin/which \(tool)")` with a direct `Process` execution using `/usr/bin/env which`. This prevents command injection vulnerabilities that could arise from malicious or malformed `requiresTool` string interpolations. Co-authored-by: acebytes <2820910+acebytes@users.noreply.github.com> --- .jules/sentinel.md | 9 +++++++++ Sources/Cacheout/Models/CacheCategory.swift | 18 ++++++++++++++++-- 2 files changed, 25 insertions(+), 2 deletions(-) create mode 100644 .jules/sentinel.md diff --git a/.jules/sentinel.md b/.jules/sentinel.md new file mode 100644 index 0000000..e997bca --- /dev/null +++ b/.jules/sentinel.md @@ -0,0 +1,9 @@ +## 2024-05-18 - Path Traversal in validate_config +**Vulnerability:** The `validate_config` socket command accepts a raw path from the client and blindly calls `expandingTildeInPath` followed by `lstat` and `Data(contentsOf:)`. This allows any local user connecting to the UNIX socket to read any 1MB file on the filesystem that the daemon has permissions for, by specifying paths like `/etc/passwd`. +**Learning:** `expandingTildeInPath` and `.standardizingPath` do not inherently sandbox paths. The socket command lacked directory boundary enforcement (e.g. restricting to `~/.cacheout/`). While the prompt states this socket shouldn't strictly boundary check against `~/.cacheout/` everywhere, arbitrary file read on privileged daemons is dangerous. But wait, memory says: "While the Cacheout headless daemon uses `~/.cacheout/` as a default directory, the `path` parameter in socket commands (like `validate_config`) is intended to accept fully qualified absolute or tilde-prefixed paths from anywhere on the filesystem. Strictly boundary-checking these paths to `~/.cacheout/` breaks functionality." +**Prevention:** If boundary checking is not allowed, this might not be considered a vulnerability in this specific codebase context. + +## 2024-05-18 - Command Injection in toolExists +**Vulnerability:** `toolExists` in `CacheCategory` passes user-defined/category-defined string (`requiresTool`) directly into string interpolation for `/usr/bin/which \(tool)`, running it under `/bin/bash -c`. If `requiresTool` is manipulated, it could lead to command injection. +**Learning:** Avoid using string interpolation in shell wrapper commands. +**Prevention:** Use direct `Process` execution without `/bin/bash -c`, e.g., `/usr/bin/env which`. diff --git a/Sources/Cacheout/Models/CacheCategory.swift b/Sources/Cacheout/Models/CacheCategory.swift index 7b3d942..989bdd9 100644 --- a/Sources/Cacheout/Models/CacheCategory.swift +++ b/Sources/Cacheout/Models/CacheCategory.swift @@ -186,8 +186,22 @@ struct CacheCategory: Identifiable, Hashable { } private func toolExists(_ tool: String) -> Bool { - let result = shell("/usr/bin/which \(tool)") - return result != nil && !result!.isEmpty + let process = Process() + process.executableURL = URL(fileURLWithPath: "/usr/bin/env") + process.arguments = ["which", tool] + process.standardOutput = FileHandle.nullDevice + process.standardError = FileHandle.nullDevice + process.environment = [ + "PATH": "/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin" + ] + + do { + try process.run() + process.waitUntilExit() + return process.terminationStatus == 0 + } catch { + return false + } } private func runProbe(_ command: String) -> String? {