From 39298e3d2a7ffc019952dcfd1f38bb37e3c477f4 Mon Sep 17 00:00:00 2001 From: Rootless-Ghost/RG-Nebula <139057350+Rootless-Ghost@users.noreply.github.com> Date: Mon, 13 Apr 2026 10:55:49 -0400 Subject: [PATCH] Potential fix for code scanning alert no. 2: Uncontrolled command line Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- core/engine.py | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/core/engine.py b/core/engine.py index c21501b..c47512d 100644 --- a/core/engine.py +++ b/core/engine.py @@ -120,19 +120,31 @@ def run_test( "error": "input_arguments must be an object/dictionary.", } - # Block shell metacharacters in user-provided substitutions to avoid command injection. - unsafe_pattern = re.compile(r"[;&|`$<>\\n\\r]") + # Strict validation for user-provided substitutions to reduce command-injection risk. + # Allow a conservative character set commonly needed for file paths, flags, and identifiers. + safe_value_pattern = re.compile(r"^[A-Za-z0-9 _.:/\\+=,@%-]*$") for arg_name, arg_value in input_args.items(): if not isinstance(arg_value, (str, int, float, bool)): return { "success": False, "error": f"Invalid input argument type for {arg_name!r}.", } - if isinstance(arg_value, str) and unsafe_pattern.search(arg_value): - return { - "success": False, - "error": f"Unsafe characters detected in input argument {arg_name!r}.", - } + if isinstance(arg_value, str): + if len(arg_value) > 512: + return { + "success": False, + "error": f"Input argument {arg_name!r} exceeds maximum length.", + } + if any(ord(ch) < 32 for ch in arg_value): + return { + "success": False, + "error": f"Control characters are not allowed in input argument {arg_name!r}.", + } + if not safe_value_pattern.fullmatch(arg_value): + return { + "success": False, + "error": f"Unsafe characters detected in input argument {arg_name!r}.", + } # Substitute variables in command command = substitute_variables(