LebToki · LebToki · Mar 18, 2026 · Mar 18, 2026
diff --git a/.jules/sentinel.md b/.jules/sentinel.md
@@ -1,9 +1,7 @@
-## 2026-03-17 - Fix Command Injection in Terminal Execution API
-**Vulnerability:** Critical command injection in `isAllowedCommand` function (`public/api/terminal.php`).
-**Learning:** Checking only the prefix of a command string (using `stripos`) is insufficient security if the entire unescaped string is later passed to a shell execution function (e.g., `proc_open`). An attacker could supply an allowed prefix followed by shell chaining metacharacters (e.g., `npm install; rm -rf /`) to execute arbitrary commands.
-**Prevention:** In addition to validating the allowed command prefix, strictly reject any user-provided shell command string that contains dangerous metacharacters (e.g., `;`, `&`, `|`, `` ` ``, `$`, `<`, `>`). Use `preg_match` to enforce this rule before execution.
+## 2024-05-20 - [Critical] Command Injection via Carriage Return
 
-## 2024-05-20 - Fix Command Injection in Terminal API
-**Vulnerability:** Command injection vulnerability in `killProcess` function (`public/api/terminal.php`).
-**Learning:** The `$pid` was received from user input and directly interpolated into system commands (`shell_exec("taskkill /PID $pid /F")` and `shell_exec("kill -9 $pid 2>&1")`). Even though the command was hardcoded, concatenating unvalidated user input directly into `shell_exec` is a severe security risk.
-**Prevention:** Always validate and sanitize user input before passing it to system commands. For numeric values like PIDs, strictly casting to integer (`(int)$pid`) and checking bounds (`> 0`) is essential. Using `escapeshellarg()` adds a defense-in-depth layer.
+**Vulnerability:** The `isAllowedCommand` function in `public/api/terminal.php` used a regular expression `/[\;&|\`$<>\n]/` to block shell metacharacters. However, it failed to block the carriage return character (`\r`). On Windows systems, `cmd.exe` interprets `\r` as a command separator, allowing an attacker to bypass the filter and execute arbitrary commands by appending `\r` followed by the malicious payload.
+
+**Learning:** Shell metacharacter blocklists must be exhaustive across all target operating systems. Windows command parsing (`cmd.exe`) has unique quirks, such as treating `\r` as a newline/separator, which are often overlooked when writing regex filters primarily designed for POSIX shells (`bash`, `sh`).
+
+**Prevention:** Always include `\r` alongside `\n` in command injection blocklists: `/[;&|\`$<>\n\r]/`. Where possible, avoid `cmd /c` wrapping with unsanitized input entirely, and prefer passing arguments as an array to functions like `proc_open` to bypass the shell.
diff --git a/data/rate_limit/42b27efc1480b4fe6d7eaa5eec47424d.json b/data/rate_limit/42b27efc1480b4fe6d7eaa5eec47424d.json
diff --git a/public/api/terminal.php b/public/api/terminal.php
@@ -89,7 +89,7 @@ function isAllowedCommand($command) {
     $command = trim($command);
 
     // Security: Prevent command injection via chaining operators and shell metacharacters
-    if (preg_match('/[;&|`$<>\n]/', $command)) {
+    if (preg_match('/[;&|`$<>\n\r]/', $command)) {
         return false;
     }