Skip to content

Commit 8d8aa53

Browse files
claudeclaude
committed
fix(security): prevent command injection in test-hook.sh
The test-hook.sh script had a command injection vulnerability where the hook script path was used unquoted in a bash -c context: output=$(timeout "$TIMEOUT" bash -c "cat '$TEST_INPUT' | $HOOK_SCRIPT") This allowed potential code execution if a malicious path was provided. Changes: - Add input validation to reject paths with shell metacharacters - Use a flag to track executable status instead of modifying the path - Use proper argument passing via bash -c positional parameters - Arguments are now safely passed as $1 and $2 instead of string concat The fix uses the pattern: bash -c 'cat "$1" | "$2"' -- "$TEST_INPUT" "$HOOK_SCRIPT" This ensures paths are treated as literal strings, not shell code.
1 parent 1af7555 commit 8d8aa53

1 file changed

Lines changed: 18 additions & 2 deletions

File tree

  • plugins/plugin-dev/skills/hook-development/scripts

plugins/plugin-dev/skills/hook-development/scripts/test-hook.sh

Lines changed: 18 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -141,9 +141,19 @@ if [ ! -f "$HOOK_SCRIPT" ]; then
141141
exit 1
142142
fi
143143

144+
# Security: Validate hook script path doesn't contain dangerous characters
145+
# This prevents potential command injection through maliciously crafted paths
146+
if [[ "$HOOK_SCRIPT" =~ [\;\|\&\`\$\(\)\{\}\<\>] ]]; then
147+
echo "❌ Error: Hook script path contains invalid characters"
148+
echo " Path must not contain: ; | & \` \$ ( ) { } < >"
149+
exit 1
150+
fi
151+
152+
# Track if we need to invoke with bash explicitly
153+
HOOK_IS_EXECUTABLE=true
144154
if [ ! -x "$HOOK_SCRIPT" ]; then
145155
echo "⚠️ Warning: Hook script is not executable. Attempting to run with bash..."
146-
HOOK_SCRIPT="bash $HOOK_SCRIPT"
156+
HOOK_IS_EXECUTABLE=false
147157
fi
148158

149159
if [ ! -f "$TEST_INPUT" ]; then
@@ -187,7 +197,13 @@ echo ""
187197
start_time=$(date +%s)
188198

189199
set +e
190-
output=$(timeout "$TIMEOUT" bash -c "cat '$TEST_INPUT' | $HOOK_SCRIPT" 2>&1)
200+
# Use proper argument passing to prevent command injection
201+
# Arguments are passed safely via bash -c's positional parameters
202+
if [ "$HOOK_IS_EXECUTABLE" = true ]; then
203+
output=$(timeout "$TIMEOUT" bash -c 'cat "$1" | "$2"' -- "$TEST_INPUT" "$HOOK_SCRIPT" 2>&1)
204+
else
205+
output=$(timeout "$TIMEOUT" bash -c 'cat "$1" | bash "$2"' -- "$TEST_INPUT" "$HOOK_SCRIPT" 2>&1)
206+
fi
191207
exit_code=$?
192208
set -e
193209

0 commit comments

Comments
 (0)