Skip to content

fix(security): add input validation to CLI to prevent command injection #990

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
triepod-ai wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(security): add input validation to CLI to prevent command injection #990

triepod-ai wants to merge 1 commit into from
+462 −13

Conversation

@triepod-ai
Copy link

@triepod-ai triepod-ai commented Dec 28, 2025

Summary

Adds input validation to the CLI to prevent potential command injection vulnerabilities.

Changes

  • Add isValidEnvVarName() - validates env var names match [a-zA-Z_][a-zA-Z0-9_]*
  • Add isValidEnvVarValue() - rejects values containing null bytes
  • Add validateEnvVars() - filters invalid env vars with warnings
  • Add validateServerUrl() - validates URL protocol, warns on private IPs
  • Add validateCommand() - checks for shell metacharacters, verifies command exists
  • Apply validation in runWebClient() and runCli() functions
  • Add 11 integration tests for validation functions

Security Impact

  • Prevents command injection via malicious env var names
  • Prevents string truncation via null bytes in values
  • Warns users about connecting to internal addresses

Test plan

  • Build passes (npm run build)
  • CLI validation tests pass (11/11)
  • Manual testing of edge cases
  • Existing CLI functionality works

🤖 Generated with Claude Code

@web-flow @claude
fix(security): add input validation to CLI to prevent command injection
8f408e0 
- Add isValidEnvVarName() to validate env var names match [a-zA-Z_][a-zA-Z0-9_]*
- Add isValidEnvVarValue() to reject values with null bytes
- Add validateEnvVars() to filter invalid env vars with warnings
- Add validateServerUrl() to validate URL protocol and warn on private IPs
- Add validateCommand() to check for shell metacharacters and verify command exists
- Apply validation in runWebClient() and runCli() functions
- Add 11 integration tests for validation functions

Security Impact:
- Prevents command injection via malicious env var names
- Prevents string truncation via null bytes in values
- Warns users about connecting to internal addresses

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@triepod-ai @web-flow