From 542c6fbbe02826210eab264b542f74a025a9f5c1 Mon Sep 17 00:00:00 2001 From: Rootless-Ghost/RG-Nebula <139057350+Rootless-Ghost@users.noreply.github.com> Date: Mon, 13 Apr 2026 13:10:39 -0400 Subject: [PATCH] Potential fix for code scanning alert no. 2: Uncontrolled command line Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- core/executor.py | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/core/executor.py b/core/executor.py index 56dc5d4..5b66b43 100644 --- a/core/executor.py +++ b/core/executor.py @@ -93,6 +93,25 @@ def substitute_variables_safe( return result +def _is_allowed_atomic_command(command: str, executor_type: str) -> bool: + """Return True if command exactly matches an embedded atomic test/cleanup command.""" + try: + from .atomics import ATOMICS # local import to avoid circular import at module load + except Exception: + return False + + et = (executor_type or "").lower().strip() + for technique in ATOMICS.values(): + for test in technique.get("tests", []): + if str(test.get("executor_type", "")).lower().strip() != et: + continue + test_cmd = test.get("command") + cleanup_cmd = test.get("cleanup_command") + if command == test_cmd or (cleanup_cmd is not None and command == cleanup_cmd): + return True + return False + + def execute( command: str, executor_type: str, @@ -117,6 +136,13 @@ def execute( """ executor_type = executor_type.lower().strip() + if not _is_allowed_atomic_command(command, executor_type): + logger.warning("Rejected non-allowlisted command for executor=%s", executor_type) + return ExecutionResult( + command=command, + error="Command is not in the embedded atomic allowlist.", + ) + if dry_run: logger.info("[DRY RUN] executor=%s command=%s", executor_type, command[:80]) return ExecutionResult(