fix: Disable shell=True in agent process launcher to prevent command injection#90
Conversation
…injection subprocess.Popen() was called with shell=True and a command string that may include user-influenced values. This allows command injection via shell metacharacters (e.g. semicolons, pipes). Replace with shlex.split() + shell=False so the OS executes the binary directly without invoking a shell interpreter. Fixes: OS command injection in agent_flow/utils/agent_manager.py line 198 Signed-off-by: FailSafe Researcher <joshua@getfailsafe.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: FailSafe Researcher <joshua@getfailsafe.com>
abda460 to
e2809f8
Compare
|
Hi maintainers — friendly follow-up on this security hardening PR. It has been open for a while with no reviewer feedback, so I wanted to resurface it. Happy to rebase, adjust the approach, add tests, or split the change differently if that would make review easier. Thanks! |
|
Hi — this security PR has been open for 40 days without maintainer response. Per our responsible disclosure policy, I'll be closing this PR shortly. I may resubmit via a bounty platform if appropriate. Thanks for your time. |
|
Closing per responsible disclosure policy: 35+ days open with no maintainer response. May resubmit via bounty platform. |
|
This security fix has been open for 30+ days. Per our responsible disclosure timeline, we'd like to move toward resolution. We can: (1) rebase and adjust the patch, (2) reach out via security@ email, or (3) resubmit via a bounty platform. Please let us know your preference. |
Summary
agent_flow/utils/agent_manager.pylaunches agent server processes viasubprocess.Popen(command, shell=True). If thecommandstring contains shell metacharacters (semicolons, pipes, backticks), the shell will interpret them — enabling OS command injection.Vulnerable code
An attacker who influences the
commandvalue (e.g. via a malicious agent name or config) can inject:Fix
Use
shlex.split()to tokenize the command string and passshell=False, so the OS executes the binary directly without a shell interpreter:Impact
Critical — OS command injection enabling arbitrary command execution.