From 050f71db88134d9dcb39a125c642418cca1ffd00 Mon Sep 17 00:00:00 2001
From: Michael Grosse Huelsewiesche <mihuelsewiesche@twilio.com>
Date: Wed, 11 Mar 2026 13:19:39 -0400
Subject: [PATCH] Fix OS command injection in ForkCurl consumer

The User-Agent header values (library name and version) from message
context were interpolated directly into a shell command without escaping,
allowing arbitrary command execution. Apply escapeshellarg() to the
User-Agent header and URL, consistent with how payload and secret are
already handled.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 lib/Consumer/ForkCurl.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/Consumer/ForkCurl.php b/lib/Consumer/ForkCurl.php
index 91b06ef..b38528c 100644
--- a/lib/Consumer/ForkCurl.php
+++ b/lib/Consumer/ForkCurl.php
@@ -53,7 +53,7 @@ public function flushBatch(array $messages): bool
             $cmd .= ' -d ' . $payload;
         }
 
-        $cmd .= " '" . $url . "'";
+        $cmd .= ' ' . escapeshellarg($url);
 
         // Verify payload size is below 512KB
         if (strlen($payload) >= 500 * 1024) {
@@ -67,7 +67,7 @@ public function flushBatch(array $messages): bool
         $library = $messages[0]['context']['library'];
         $libName = $library['name'];
         $libVersion = $library['version'];
-        $cmd .= " -H 'User-Agent: $libName/$libVersion'";
+        $cmd .= ' -H ' . escapeshellarg("User-Agent: $libName/$libVersion");
 
         if (!$this->debug()) {
             $cmd .= ' > /dev/null 2>&1 &';