APEX/BrowserUse_and_ComputerUse_skills
5
0
Fork 0
Code Issues 6 Pull requests 1 Projects 1 Releases Packages Wiki Activity Actions

Merge pull request #65 from leonsgithub/fix/sudo-password-shell-injection

Browse source 
fix(security): prevent shell injection in sudo password piping
This commit is contained in:
Teknium 2026-02-27 01:50:07 -08:00 committed by GitHub
commit 547ba73b82
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 3 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
tools/terminal_tool.py
View file

@ -319,7 +319,9 @@ def _transform_sudo_command(command: str) -> str:
# Replace 'sudo' with password-piped version
# The -S flag makes sudo read password from stdin
# The -p '' suppresses the password prompt
return f"echo '{sudo_password}' | sudo -S -p ''"
# Use shlex.quote() to prevent shell injection via password content
import shlex
return f"echo {shlex.quote(sudo_password)} | sudo -S -p ''"
# Match 'sudo' at word boundaries (not 'visudo' or 'sudoers')
# This handles: sudo, sudo -flag, etc.