APEX/BrowserUse_and_ComputerUse_skills
5
0
Fork 0
Code Issues 6 Pull requests 1 Projects 1 Releases Packages Wiki Activity Actions

fix(process): use shlex to safely quote commands in bg_command for improved security

Browse source
This commit is contained in:
teknium1 2026-02-27 22:50:26 -08:00
parent 7f423508e4
commit 66a5bc64db
1 changed files with 3 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

5
tools/process_registry.py
View file

@ -32,6 +32,7 @@ Usage:
import json import json
import logging import logging
import os import os
import shlex
import shutil import shutil
import signal import signal
import subprocess import subprocess
@ -247,9 +248,9 @@ class ProcessRegistry:
# Run the command in the sandbox with output capture # Run the command in the sandbox with output capture
log_path = f"/tmp/hermes_bg_{session.id}.log" log_path = f"/tmp/hermes_bg_{session.id}.log"
pid_path = f"/tmp/hermes_bg_{session.id}.pid" pid_path = f"/tmp/hermes_bg_{session.id}.pid"
safe_command = command.replace("'", "'\''") quoted_command = shlex.quote(command)
bg_command = ( bg_command = (
f"nohup bash -c '{safe_command}' > {log_path} 2>&1 & " f"nohup bash -c {quoted_command} > {log_path} 2>&1 & "
f"echo $! > {pid_path} && cat {pid_path}" f"echo $! > {pid_path} && cat {pid_path}"
) )