Skip to content

πŸ›‘οΈ Sentinel: [CRITICAL] Fix command injection in child process execution#63

Open
Donach wants to merge 1 commit into
cfx/android-hermes-clientfrom
sentinel-fix-command-injection-13111848230379582701
Open

πŸ›‘οΈ Sentinel: [CRITICAL] Fix command injection in child process execution#63
Donach wants to merge 1 commit into
cfx/android-hermes-clientfrom
sentinel-fix-command-injection-13111848230379582701

Conversation

@Donach
Copy link
Copy Markdown

@Donach Donach commented May 27, 2026

🚨 Severity: CRITICAL

πŸ’‘ Vulnerability: Found execSync being used with string interpolation for dynamic variables (sudoUser in apps/agor-cli/src/commands/admin/sync-unix.ts and chownTo / envFile in apps/agor-daemon/src/services/terminals.ts). This pattern executes within a shell (/bin/sh), allowing for command injection if an attacker can manipulate these inputs.

🎯 Impact: A threat actor breaking out of the string boundary could execute arbitrary system commands on the host machine. Given these functions interface with sudo and getent, this could easily lead to unconstrained privilege escalation or data exfiltration.

πŸ”§ Fix: Replaced execSync with execFileSync, completely bypassing the shell. Passed the binaries directly and utilized argument arrays (['passwd', '--', String(sudoUser)]) to ensure variables are strictly treated as string arguments.

βœ… Verification:

  1. Ran pnpm lint and fixed formatting gaps via pnpm lint:fix.
  2. Verified all tests securely pass across @agor/cli, @agor/core, and @agor/daemon via export NODE_OPTIONS="--max-old-space-size=4096"; pnpm test.
  3. Verified the required learnings are recorded in .jules/sentinel.md.

PR created automatically by Jules for task 13111848230379582701 started by @Donach

@google-labs-jules @Donach
πŸ›‘οΈ Sentinel: [CRITICAL] Fix command injection in child process execution
76f3a02 
Migrates `execSync` calls containing dynamic interpolation strings over to `execFileSync` to mitigate command injection risks.

Specifically, in `apps/agor-cli/src/commands/admin/sync-unix.ts` and `apps/agor-daemon/src/services/terminals.ts`, user inputs or dynamic variables were previously embedded directly into shell commands via template literals. The updated code now invokes the binaries directly (via `execFileSync`) and passes the arguments explicitly as array elements along with `--` where necessary, which entirely bypasses shell execution and closes the command and argument injection vectors.

The journal `.jules/sentinel.md` has been updated with these learnings.

Co-authored-by: Donach <39565367+Donach@users.noreply.github.com>
@google-labs-jules
Copy link
Copy Markdown

google-labs-jules Bot commented May 27, 2026

πŸ‘‹ Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a πŸ‘€ emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Donach