Skip to content

fix: Eliminate command injection vulnerabilities in shell commands#488

Open
txmyer-dev wants to merge 1 commit intodanielmiessler:mainfrom
txmyer-dev:main
Open

fix: Eliminate command injection vulnerabilities in shell commands#488
txmyer-dev wants to merge 1 commit intodanielmiessler:mainfrom
txmyer-dev:main

Conversation

@txmyer-dev
Copy link

@txmyer-dev txmyer-dev commented Jan 25, 2026

Summary

  • Replace shell-interpolated execSync calls with execFileSync using argument arrays
  • Replace shell-interpolated curl with native fetch() API
  • Replace Bun's $ template shell commands with execFile and fs.mkdir
  • Add input validation for WHOIS queries to reject dangerous characters

Files Changed

  • Packs/pai-hook-system/src/hooks/UpdateTabTitle.hook.ts
  • Packs/pai-recon-skill/src/tools/WhoisParser.ts
  • Packs/pai-recon-skill/src/tools/BountyPrograms.ts

Test plan

  • Verify kitty tab title updates still work
  • Verify voice notifications still work
  • Verify WHOIS queries work for valid domains
  • Verify WHOIS rejects malicious input like ; rm -rf /

🤖 Generated with Claude Code

@claude
fix: Eliminate command injection vulnerabilities in shell commands
48d8fff 
Replace shell-interpolated execSync calls with safer alternatives:
- UpdateTabTitle: Use execFileSync with argument arrays for kitty/kitten
- UpdateTabTitle: Use fetch() instead of curl for voice notifications
- UpdateTabTitle: Write escape sequences directly to stderr
- WhoisParser: Use execFile with input validation for whois queries
- BountyPrograms: Use fs.mkdir instead of shell mkdir

Co-Authored-By: Claude Opus 4.5 <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@txmyer-dev