Fix shell injection in cd commands via proper path quoting#11620
Fix shell injection in cd commands via proper path quoting#11620atharvasindwani23 wants to merge 1 commit into
Conversation
Replace double-quoted path interpolation (`cd "$path"`) with `shell_words::quote` to prevent shell expansion of `$`, backticks, and other metacharacters in directory paths. This matches the quoting approach already used elsewhere in the codebase (e.g. workspace/view.rs, context_chips/display_chip.rs).
|
Thank you for your pull request and welcome to our community. We could not parse the GitHub identity of the following contributors: Atharva Sindwani.
|
|
This PR is not linked to an issue that is marked with Issue-state enforcement details:
To continue, link this PR to a same-repo issue such as Powered by Oz |
github-actions
Bot
added
the
external-contributor
![oz-for-oss[bot]](https://avatars.githubusercontent.com/in/3450139?s=60&v=4){kind=small}
There was a problem hiding this comment.
This PR is not linked to an issue that is marked with ready-to-implement.
Issue-state enforcement details:
-
Associated same-repo issues checked: none
-
Required readiness label:
ready-to-implement
To continue, link this PR to a same-repo issue such as Closes #123 in the PR description, and make sure that issue has ready-to-implement.
Powered by Oz
1 participant
Summary
format!("cd \"{path}\"")withshell_words::quoteinopen_repo_folderand AI conversation restoration$, backticks,\, and"in directory paths — a path like/tmp/my$(id)/projectwould execute arbitrary commandsshell_words::quotewhich is already used correctly elsewhere in the codebase for the same purpose (e.g.workspace/view.rs:7437)Test plan
$character (e.g./tmp/my$var/repo) — verifycdexecutes without shell expansioncd