Security: Command injection risk in privileged shell command construction

[tomaioo]

Summary

Security: Command injection risk in privileged shell command construction

Problem

Severity: High | File: macapp/src/rinoh_macapp/app.py:L29

The macOS helper builds a shell command string (create_link) using .format() and then executes it via AppleScript do shell script ... with administrator privileges. Because arguments are interpolated into a single shell string without robust escaping/quoting, a path containing shell metacharacters (for example, a crafted app install path with quotes or ;) could alter the command executed as admin.

Solution

Avoid building a shell command string. Execute privileged operations with argument-safe APIs (e.g., a dedicated helper binary/script invoked with fixed argv), or strictly shell-escape each value with shlex.quote() before interpolation. Also validate that rinoh_path and link_path contain only expected characters.

Changes

• macapp/src/rinoh_macapp/app.py (modified)

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[brechtm]

Closing: PR submitted by AI bot not reviewed by their owner.