fix(terminal-security): prevent newline bypass in command validation #8512
+266
−1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fixes a security vulnerability where an attacker could bypass the terminal command allow-list by using newline characters (\n, \r\n, \r) as command separators. The issue occurred because shell-quote treats literal newlines as whitespace, causing multiple newline-separated commands to be evaluated as a single command. This allowed dangerous commands to be hidden after safe commands. Changes: - Split input on line breaks before parsing with shell-quote - Evaluate each line independently and return the most restrictive policy - Added comprehensive tests for newline bypass scenarios - Tests cover Unix (\n), Windows (\r\n), and old Mac (\r) line endings Security Impact: - Prevents bypass of allow-list using 'ls\nopen -a Calculator' - Prevents bypass of allow-list using 'echo hello\nnpm install malicious' - Critical commands (sudo, rm -rf /) are still properly blocked - High-risk commands now correctly require permission Generated with [Continue](https://continue.dev) Co-Authored-By: Continue <[email protected]> Co-authored-by: Username <[email protected]>
dosubot
bot
added
the
size:L
Add explicit ToolPolicy type annotation to mostRestrictivePolicy variable to fix TypeScript compilation error in CI. TypeScript was inferring a narrower type that didn't include 'disabled', causing type mismatch errors. Generated with [Continue](https://continue.dev) Co-Authored-By: Continue <[email protected]> Co-authored-by: Username <[email protected]>
Fix code formatting to pass prettier checks in CI. Generated with [Continue](https://continue.dev) Co-Authored-By: Continue <[email protected]> Co-authored-by: Username <[email protected]>
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Fixes a security vulnerability where an attacker could bypass the terminal command allow-list by using newline characters (
\n,\r\n,\r) as command separators.The Vulnerability
The
shell-quotelibrary treats literal newline characters as whitespace rather than command separators. This caused multiple newline-separated commands to be evaluated as a single command, allowing dangerous commands to be hidden after safe ones.Attack Examples
ls\nopen -a Calculator→ Bypassed toallowedWithoutPermission(should require permission)ls\nnpm install malicious→ Bypassed toallowedWithoutPermission(should require permission)echo hello\nopen -a Calculator→ Bypassed toallowedWithoutPermission(should require permission)The Fix
The solution splits input on line breaks (
/\r?\n|\r/) before parsing with shell-quote, evaluating each line independently and returning the most restrictive policy.Changes
evaluateTerminalCommandSecurity()to split on newlines before parsing\n,\r\n,\r)Security Impact
✅ Fixed: Newline bypass for medium/high-risk commands
✅ Maintained: Critical commands (sudo, rm -rf /) still properly blocked
✅ Maintained: Existing security checks for semicolons, pipes, etc.
Testing
All 224 tests pass, including:
This agent session was co-authored by nate and Continue.
Summary by cubic
Prevents a newline-based bypass in terminal command validation by splitting input on line breaks and evaluating each line separately. Applies the most restrictive policy across lines to stop hidden dangerous commands.