gmgauthier/grokkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 11 Wiki Activity

fix(recipe): improve allowed shell command validation

Browse Source 
Update the command matching logic to require an exact match or the command followed by a space and arguments. Also normalize case and trim whitespace for safe commands to prevent loose prefix matches that could allow unintended commands.
This commit is contained in:
Greg Gauthier 2026-03-07 19:37:53 +00:00
parent 685b0f40d7
commit 4603a1ec7a
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
internal/recipe/loader.go
View File

@ -75,9 +75,13 @@ func Load(path string, userParams map[string]any) (*Recipe, error) {
safeMap := safeCommands() safeMap := safeCommands()
for _, cmd := range r.AllowedShellCommands { for _, cmd := range r.AllowedShellCommands {
trimmed := strings.ToLower(strings.TrimSpace(cmd)) trimmed := strings.ToLower(strings.TrimSpace(cmd))
allowed := false allowed := false
for safe := range safeMap { for safe := range safeMap {
if strings.HasPrefix(trimmed, safe) { safeTrim := strings.ToLower(strings.TrimSpace(safe))
// Match exact command OR command followed by space + arguments
if trimmed == safeTrim || strings.HasPrefix(trimmed, safeTrim+" ") {
allowed = true allowed = true
break break
} }